ACTION-164 - Elaborate Cross Site Scripting in Wiki

Hello all,

I've updated the Threat Trees page of the Wiki with more detailed  
information on cross site scripting.  I've also made some minor  
editorial changes, more clearly calling out the description and goals  
of each attack.  You can see the current version here.

http://www.w3.org/2006/WSC/wiki/ThreatTrees

As discussed on the call earlier this week, much of XSS is beyond our  
scope.  I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and  
2.B.iv, all of which involve the site sending information to a  
different site than the legitimate one being viewed, constitute  
information that a user agent *might* deem relevant to the user.  The  
others branches are there for completeness but, operating exclusively  
within the site being viewed, likely represent security issues beyond  
our scope.

Any comments are, of course, invited.  And I hope Stuart doesn't  
object to my formatting changes.  :)

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Friday, 23 March 2007 14:25:09 UTC