On Tue, Oct 11, 2016 at 10:54:52PM -0400, Viktor Dukhovni wrote:
> What's odd is not that SMTP and XMPP are immune, but rather
> the astonishing subtlety of the Web security model, which
> makes web applications vulnerable.
It is combination of HTTP servers being pretty widely misconfig'd in a
manner that results in bogus responses to requests (pretty much nobody
has similarly misconfig'd SMTP server (as it would be a major problem
in other ways), and AFAICT XMPP servers can't even configured that
way), combined with the very brittle nature of the same-origin policy.
dane mailing list