[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Michal Zalewski
lcamtuf at dione.cc
Tue Sep 30 10:57:42 PDT 2008
On Tue, 30 Sep 2008, Edward Z. Yang wrote:
> In that case, you are certainly correct; adding a salt only hinders an
> attacker. But if we're worried about Origin giving away a secret
> intranet website, I think things should be reasonable. Of course, they
> can still dictionary brute-force it...
I guess the concern is primarily over home users, as they seem to be
particularly fond of referrer-blocking plugins and so forth - and if
"Origin" becomes nearly as often blocked over rational or irrational
fears, it would become much less useful.
Corporations with large intranets probably care less, and there might be
better ways to help them if they do (from RFC1918 checks on browser end,
to proxies or internal redirectors that remove internal addresses only).
/mz
More information about the whatwg
mailing list