[whatwg] Updating Location Bar for RPC Type Apps
Ian Hickson
ian at hixie.ch
Fri Apr 22 16:51:04 PDT 2005
On Fri, 22 Apr 2005, Brad Neuberg wrote:
>
> Do you have an idea of what the threat model might be? I.e. who is
> attacking, why are they attacking, and how will they usually be
> attacking.
There are a number of attack vectors but the main ones are letting scripts
access data from other hosts or from the computer itself, letting scripts
affect the user's experience with the computer and the internet outside
the site in question, and making it easier for sites to spoof other sites
or system services in order to fradulently obtain personal information.
So for example ways to disable the "back" button, or ways to override the
user's window manager, and ways for sites to make it appear that they are
other sites would be features that should never be allowed in the spec.
(<script src="">, <img src="">, and window.open() are examples of features
that currently exist in HTML browsers but suffer from these problems to
one extent or another.)
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list