[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Tue Sep 30 10:57:42 PDT 2008


On Tue, 30 Sep 2008, Edward Z. Yang wrote:

> In that case, you are certainly correct; adding a salt only hinders an 
> attacker. But if we're worried about Origin giving away a secret 
> intranet website, I think things should be reasonable. Of course, they 
> can still dictionary brute-force it...

I guess the concern is primarily over home users, as they seem to be 
particularly fond of referrer-blocking plugins and so forth - and if 
"Origin" becomes nearly as often blocked over rational or irrational 
fears, it would become much less useful.

Corporations with large intranets probably care less, and there might be 
better ways to help them if they do (from RFC1918 checks on browser end, 
to proxies or internal redirectors that remove internal addresses only).

/mz



More information about the whatwg mailing list