On Sat, 27 Sep 2008, Jim Jewett wrote:
uhm... that is exactly when involuntary actions are *most* likely.
It's not about merely clicking something accidentally - it's about
clicking at a very specific place, as intended by the attacker, to trigger
a very specific functionality on a targeted
On Sat, 27 Sep 2008, Jim Jewett wrote:
Yet opt-in proposals expect content authors to immediately add security
checks everywhere, which is considerably less realistic than having a
handful of webpages adjust their behavior, if we indeed break it (which I
don't think would be likely with the
On Sun, 28 Sep 2008, Michal Zalewski wrote:
If you have faith that all these places can be patched up because we
tell them so, and that these who want to would be able to do so
consistently and reliably - look at the current history of XSRF and XSS
vulnerabilities.
...and consequently, the
On Sun, 28 Sep 2008, Robert O'Callahan wrote:
I'm not sure what you're talking about here. I'm specifically NOT talking
about Content-Restrictions or Site-Security-Policies or any other policies
for controlling what a page may do once it has loaded.
I'm expressing approval for your option 1,
On Sun, Sep 28, 2008 at 10:52 PM, Michal Zalewski [EMAIL PROTECTED] wrote:
other browsers are getting cross-domain XMLHttpRequest headers
Using the W3C Access Controls spec, which I am suggesting to reuse here. If
you're not familiar with that spec, it's here:
On Sun, 28 Sep 2008, Robert O'Callahan wrote:
There is no way in the world that Microsoft would implement your option
3 in a security update to IE6.
Sure, I'm not implying this. I simply have doubts about any other major
security changes making it into MSIE8 or Firefox 3.
Cheers,
/mz
MSIE7 is not offered as an update for Windows XP running on Pentium II. I
dared not check whether it is possible to install it nevertheless. That
might explain that 20%.
Chris
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michal Zalewski
Sent: Sunday,
On Mon, Sep 29, 2008 at 12:17 AM, Michal Zalewski [EMAIL PROTECTED] wrote:
On Sun, 28 Sep 2008, Robert O'Callahan wrote:
There is no way in the world that Microsoft would implement your option 3
in a security update to IE6.
Sure, I'm not implying this. I simply have doubts about any other