[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

[Michal Zalewski]

On Sat, 27 Sep 2008, Jim Jewett wrote:

>  Yet opt-in proposals expect content authors to immediately add security
>  checks everywhere, which is considerably less realistic than having a
>  handful of webpages adjust their behavior, if we indeed break it (which I
>  don't think would be likely with the design). It feels better, but I am
>  inclined to think it is considerably less beneficial.
>
> Why?  Most sites won't add the checks because they don't need them.

Static pages do not (but would likely see no ill effects, too). Almost all 
web applications, where the user has a distinct authenticated context, do.

Given that something like 90%+ of the list of top 100, 500, or whatever 
websites visited by typical users belongs to the latter category (well, 
looking at public stats at least), easily extrapolated to tens of millions 
of other less successful but still used resources (web forums, shops, 
chats, customer portals, etc), that all these are almost always 
significantly more complex that any static content (thousands of pages and 
hundreds of distinct features are not uncommon) - I indeed see a problem 
that is best addressed in an on-by-default mode.

If you have faith that all these places can be patched up because we tell 
them so, and that these who want to would be able to do so consistently 
and reliably - look at the current history of XSRF and XSS 
vulnerabilities.

/mz