Re: XSS out of scope

• From: Mike Beltzner <beltzner@mozilla.com>
• Date: Fri, 6 Apr 2007 16:53:02 +0000
• To: "Dan Schutzer" <dan.schutzer@fstc.org>, public-wsc-wg-request@w3.org, "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, "'Shawn Duffy <sduffy'" <sduffy@aol.net>
• Cc: public-wsc-wg@w3.org, "'Close, Tyler J.'" <tyler.close@hp.com>
• Message-ID: <857500334-1175878407-cardhu_blackberry.rim.net-1740947504-@bwe023-cell00.bisx.p>

We need to get this straightened out. 

Johnathan asked if we were unfairly limiting scope to visible-UI-only solutions, meaning we couldn't recommend that the browser should silently make choices that increase a user's security.

Stuart points out that XSS should be in scope for similar reasons. 

The question really becomes: is the goal of this WG to only generate recommendations on how to *display* security context to users, or is it to also recommend what type of content should be blocked from being displayed. The latter is, IMO, a wider set of recommendations, since it starts talking about types of content that can/should be untrusted. 

cheers,
mike 

  

-----Original Message-----
From: "Dan Schutzer" <dan.schutzer@fstc.org>
Date: Fri, 6 Apr 2007 10:39:12 
To:"'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>,"'Shawn Duffy <sduffy'" <sduffy@aol.net>
Cc:<public-wsc-wg@w3.org>,"'Close, Tyler J.'" <tyler.close@hp.com>
Subject: RE: XSS out of scope

I don’t think this should be out of scope, some of our solutions address how to mitigate this. And some of our suggestions for strengthening the Browser also help in this area.
 
 
 
 
 
----------------
 
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Mary Ellen Zurko
 Sent: Friday, April 06, 2007 10:11 AM
 To: Shawn Duffy <sduffy
 Cc: public-wsc-wg@w3.org; Close, Tyler J.
 Subject: Re: XSS out of scope
 
 
 

 I think it has to be. But could you offer up a scenario of what we would do it if wasn't, just so I can be sure? (or maybe someone who's sure will answer). 
 
           Mez
 
 Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
 Lotus/WPLC Security Strategy and Patent Innovation Architect
 
 
 
 
 
Shawn Duffy <sduffy@aol.net>
 Sent by: public-wsc-wg-request@w3.org
 
04/05/2007 10:44 AM
 
 
To
 
"Close, Tyler J." <tyler.close@hp.com>
 
 
cc
 
public-wsc-wg@w3.org
 
 
Subject
 
Re: XSS out of scope
 
 
 
 
 
 
 
 

 

 
 
 
 Does this also include phishing that is only made possible via XSS, such
 as a "trusted" site that has been injected with a fake login form via
 XSS?  Is that also out of scope?  Just want to make sure I'm clear where
 we're drawing the boundary...
 
 
 Close, Tyler J. wrote:
 > I've added a new Out of scope section to our Note to cover XSS attacks.
 > See:
 > 
 > http://www.w3.org/2006/WSC/drafts/note/#XSS
 > 
 > This edit addresses ACTION-160
 > 
 > Tyler
 > 
 
 
 
 

Received on Friday, 6 April 2007 16:53:41 UTC