The new WebAppSec WG charter draft does include a deliverable for secure
mashups built with cross-domain framing, with the specific intent to put
forward a proposal for anti-clickjacking in this space.
However, I have concerns with nearly every aspect of this draft.
First, I am concerned
x27;t seen any discussion of these concerns yet.
-Brad
-Original Message-
From: Arthur Barstow [mailto:art.bars...@nokia.com]
Sent: Tuesday, July 05, 2011 7:30 AM
To: Hill, Brad; Anne van Kesteren
Cc: WebApps WG; public-web-secur...@w3.org; Daniel Veditz
Subject: Re: Publishing From-O
u...@w3.org] On Behalf Of Bjoern Hoehrmann
Sent: Tuesday, July 05, 2011 4:38 PM
To: Marcos Caceres
Cc: WebApps WG; public-web-secur...@w3.org
Subject: Re: Publishing From-Origin Proposal as FPWD
* Marcos Caceres wrote:
>On Tue, Jul 5, 2011 at 5:50 PM, Hill, Brad wrote:
>> I feel that the
rom-Origin, the WebAppSec WG is
already chartered to do the necessary coordination.
-Brad
-Original Message-
From: Adam Barth [mailto:w...@adambarth.com]
Sent: Thursday, July 07, 2011 3:24 PM
To: Thomas Roessler
Cc: Tobias Gondrom; Arthur Barstow; Hill, Brad; Eric Rescorla; Alexey Melnikov
-Original Message-
From: public-webapps-requ...@w3.org [mailto:public-webapps-requ...@w3.org] On
Behalf Of Anne van Kesteren
Sent: Friday, July 22, 2011 8:09 AM
To: WebApps WG
Subject: From-Origin FPWD
Hi,
The WebApps WG published the From-Origin header proposal as FPWD:
http://www
I'm still not convinced that implementing this as a feature of the User Agent
benefits the user or is the most appropriate technology for addressing the
problem statements in the specification.
What are the use cases where a user is better off if their browser obeys
From-Origin than if it does
should we expect it to become universally deployed where referrer checking is
not?
-Brad
From: rocalla...@gmail.com [mailto:rocalla...@gmail.com] On Behalf Of Robert
O'Callahan
Sent: Monday, August 01, 2011 6:16 AM
To: Hill, Brad
Cc: Anne van Kesteren; WebApps WG
Subject: Re: From-Origin FPW
As discussed in the WebAppSec WG call on Dec 6, the editor would like to
promote Cross-Origin Resource Sharing (CORS) to Last Call and this is a Call
for Consensus to do so:
http://www.w3.org/TR/2010/WD-cors-20100727/
This CfC satisfies the group's requirement to "record the group's decision t
Kusuke Ebihara (Ikousuke at co3k.org ) has discovered an interesting security
bug with XHR.
http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-January/008170.html
Basically, for CGI programs, characters that are valid in HTTP headers but not
in Unix shell environment va
The WebApps and WebAppSec WG would like to announce the publication of
Cross-Origin Resource Sharing (CORS) as a Last Call Working Draft.
http://www.w3.org/TR/cors/
Please send comments about this document to public-webapp...@w3.org with [CORS]
as the start of the subject line.
Deadline for co
The Web Application Security Working Group at the W3C is planning to advance
Content Security Policy 1.0 to Candidate Recommendation - a final set of
features and syntax - and is seeking wide review of the document at this time.
We would especially value the input of members of the WebApps WG.
http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0004.html
This bug report on CORS, that the "Last-Event-ID" header should be a simple
header, (along with Origin and Referer based on the status of actual
implementations) is the last substantive change to the document that remains
un
WebApps and WebAppSec WG members, (and copied security interest groups who we
invite to provide comments)
Following discussion at TPAC, I've resolved outstanding changes in the security
considerations section agreed to by WebAppSec as well as differences between
the W3C and WHATWG versions of C
WebApps WG,
I have been following with interest (though with less time to give it the
attention I wish) the emergence of Web Components and related specifications.
(HTML Templates, Shadow DOM, etc.)
I wonder if it would be a good time to start discussing the security model
jointly with the
mitri
Glazkov
Sent: Monday, March 11, 2013 1:23 PM
To: Arthur Barstow
Cc: Hill, Brad; public-webapp...@w3.org; WebApps WG (public-webapps@w3.org)
Subject: Re: security model of Web Components, etc. - joint work with WebAppSec?
On Sat, Mar 9, 2013 at 4:36 AM, Arthur Barstow
mailto:art.bars...@nokia.com>
to a cross-origin
component?
-Brad Hill
> -Original Message-
> From: Arthur Barstow [mailto:art.bars...@nokia.com]
> Sent: Friday, March 15, 2013 7:20 AM
> To: Hill, Brad; Dimitri Glazkov
> Cc: public-webapp...@w3.org; public-webapps
> Subject: Re: security model of W
I think the broader goals Jonas has articulated probably belong in their own
group, perhaps chartered along with some of what comes out of the upcoming Web
Crypto Next Steps workshop.
http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/papers.html
I'll say by way of indicating possible c
17 matches
Mail list logo