On Friday, July 29, 2016 at 2:24:43 PM UTC-7, Hanno Böck wrote: > Hi, > > I just saw this report and my initial reaction was that it seems to be > a grave security risk to use HTML emails with user controlled content > for email domain validation. > > I don't see any need for this and would strongly recommend that a > policy forbidding that practice gets implemented. The alternative would > be carefully preventing XSS issues, but honestly, XSS is complicated > and subtle, I don't see it as realistic to prevent all XSS issues. > > The domain validation process is one of the most security sensitive > pieces of the CA ecosystem, therefore I recommend that: > * Domain validation mails must not use HTML and must not contain any > user-controlled content. > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: [email protected] > GPG: BBB51E42
It is not "XSS" BTW when emails don't used JavaScript. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
