[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Sun Sep 28 02:36:54 PDT 2008
On Sun, 28 Sep 2008, Michal Zalewski wrote:
> If you have faith that all these places can be patched up because we
> tell them so, and that these who want to would be able to do so
> consistently and reliably - look at the current history of XSRF and XSS
> vulnerabilities.
...and consequently, the worst-case scenario for breaking a page that did
not need the protection to begin with is that the owner easily opts out,
in a manner that is trivial to verify across his resources; on the other
hand, the worst-case scenario for leaving one out of thousands resources
on Facebook, MySpace, eBay, or my wife's cat fanciers' forum, accidentally
not protected by an opt-in mechanism in some obscure code path... is more
or less widespread misery that is extremely hard and sometimes expensive
to clean up.
/mz
More information about the whatwg
mailing list