- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Fri, 23 Mar 2007 10:24:53 -0400
- To: W3C WSC Public <public-wsc-wg@w3.org>
Hello all, I've updated the Threat Trees page of the Wiki with more detailed information on cross site scripting. I've also made some minor editorial changes, more clearly calling out the description and goals of each attack. You can see the current version here. http://www.w3.org/2006/WSC/wiki/ThreatTrees As discussed on the call earlier this week, much of XSS is beyond our scope. I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and 2.B.iv, all of which involve the site sending information to a different site than the legitimate one being viewed, constitute information that a user agent *might* deem relevant to the user. The others branches are there for completeness but, operating exclusively within the site being viewed, likely represent security issues beyond our scope. Any comments are, of course, invited. And I hope Stuart doesn't object to my formatting changes. :) Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 23 March 2007 14:25:09 UTC