Re: XSS out of scope from Shawn Duffy on 2007-04-06 (public-wsc-wg@w3.org from April 2007)

From: Shawn Duffy <sduffy@aol.net>
Date: Fri, 06 Apr 2007 10:45:40 -0400
To: Dan Schutzer <dan.schutzer@fstc.org>
CC: "'Mary Ellen Zurko'" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org, "'Close, Tyler J.'" <tyler.close@hp.com>
Message-ID: <46165D14.6050409@aol.net>

I would agree...  XSS, by itself, can be out of scope but it might still
be helpful to make recommendations on how a user agent might be able to
detect a form that looks like it doesn't belong.  Checking the POST
destination of the form or checking to see if the form html code resides
in the URL.  We might be able to address that without addressing XSS as
a whole.

Dan Schutzer wrote:
> I don’t think this should be out of scope, some of our solutions address
> how to mitigate this. And some of our suggestions for strengthening the
> Browser also help in this area.
> 
>  
> 
> ------------------------------------------------------------------------
> 
> *From:* public-wsc-wg-request@w3.org
> [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Mary Ellen Zurko
> *Sent:* Friday, April 06, 2007 10:11 AM
> *To:* Shawn Duffy <sduffy
> *Cc:* public-wsc-wg@w3.org; Close, Tyler J.
> *Subject:* Re: XSS out of scope
> 
>  
> 
> 
> I think it has to be. But could you offer up a scenario of what we would
> do it if wasn't, just so I can be sure? (or maybe someone who's sure
> will answer).
> 
>           Mez
> 
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
> 
> 
> *Shawn Duffy <sduffy@aol.net>*
> Sent by: public-wsc-wg-request@w3.org
> 
> 04/05/2007 10:44 AM
> 
>  
> 
> To
> 
>  
> 
> "Close, Tyler J." <tyler.close@hp.com>
> 
> cc
> 
>  
> 
> public-wsc-wg@w3.org
> 
> Subject
> 
>  
> 
> Re: XSS out of scope
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> 
> 
> Does this also include phishing that is only made possible via XSS, such
> as a "trusted" site that has been injected with a fake login form via
> XSS?  Is that also out of scope?  Just want to make sure I'm clear where
> we're drawing the boundary...
> 
> 
> Close, Tyler J. wrote:
>> I've added a new Out of scope section to our Note to cover XSS attacks.
>> See:
>>
>> http://www.w3.org/2006/WSC/drafts/note/#XSS
>>
>> This edit addresses ACTION-160
>>
>> Tyler
>>
> 
>

Received on Friday, 6 April 2007 15:02:05 UTC