Re: ACTION-164 - Elaborate Cross Site Scripting in Wiki from Mary Ellen Zurko on 2007-03-26 (public-wsc-wg@w3.org from March 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 26 Mar 2007 13:39:02 -0400
To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
Cc: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <OFB7323FE8.2F57C75A-ON852572AA.0060E09F-852572AA.0060F558@LocalDomain>

There is not currently a "2.A.i", and several others you cite. 

          Mez





Johnathan Nightingale <johnath@mozilla.com> 
Sent by: public-wsc-wg-request@w3.org
03/23/2007 10:24 AM

To
W3C WSC Public <public-wsc-wg@w3.org>
cc

Subject
ACTION-164 - Elaborate Cross Site Scripting in Wiki







Hello all,

I've updated the Threat Trees page of the Wiki with more detailed 
information on cross site scripting.  I've also made some minor 
editorial changes, more clearly calling out the description and goals 
of each attack.  You can see the current version here.

http://www.w3.org/2006/WSC/wiki/ThreatTrees

As discussed on the call earlier this week, much of XSS is beyond our 
scope.  I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and 
2.B.iv, all of which involve the site sending information to a 
different site than the legitimate one being viewed, constitute 
information that a user agent *might* deem relevant to the user.  The 
others branches are there for completeness but, operating exclusively 
within the site being viewed, likely represent security issues beyond 
our scope.

Any comments are, of course, invited.  And I hope Stuart doesn't 
object to my formatting changes.  :)

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 26 March 2007 17:39:07 UTC