Hi, I just saw this report and my initial reaction was that it seems to be a grave security risk to use HTML emails with user controlled content for email domain validation.
I don't see any need for this and would strongly recommend that a policy forbidding that practice gets implemented. The alternative would be carefully preventing XSS issues, but honestly, XSS is complicated and subtle, I don't see it as realistic to prevent all XSS issues. The domain validation process is one of the most security sensitive pieces of the CA ecosystem, therefore I recommend that: * Domain validation mails must not use HTML and must not contain any user-controlled content. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpSoV7OKCqEc.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
