Re: [whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

On Wed, May 19, 2010 at 4:57 PM, Adam Barth w...@adambarth.com wrote: Virtually none of the JavaScript framebusting scripts used by web sites are effective. Yes. If anyone would like to see more evidence of this, here's a recent study of the Alexa Top 500 web sites. None of them were

Re: [whatwg] Dealing with UI redress vulnerabilities inherent to the current web

On Thu, Sep 25, 2008 at 10:24 AM, Michal Zalewski [EMAIL PROTECTED] wrote: Other quick fixes are easy to come up with, but in general prove problematic in many usage scenarios. Based on our internal conversations, we have a number of proposals for approaches to how to address the issue, along

Re: [whatwg] Dealing with UI redress vulnerabilities inherent to the current web

On Thu, Sep 25, 2008 at 1:46 PM, Michal Zalewski [EMAIL PROTECTED] wrote: 7) New HTTP request header: Browser vendors seem to be moving away from same origin restrictions towards verifiable origin labels that let the site decide whether two security origins trust each other. Recent examples

Re: [whatwg] Origin header and forms

Adam Barth, John Mitchell, and I have written an academic paper in support of the Origin header as a CSRF defense: http://crypto.stanford.edu/websec/csrf/ On Wed, Jul 9, 2008 at 6:59 PM, Jonas Sicking [EMAIL PROTECTED] wrote: Hi All, The Access-Control spec [1] adds an 'Origin' header that is

Re: [whatwg] The iframe element and sandboxing ideas

On Thu, Jul 3, 2008 at 12:59 AM, Kristof Zelechovski [EMAIL PROTECTED] wrote: Microsoft HTML engine supports the following syntax: IFRAME src=about:HTML ./HTML . I'd like to learn more about this. I wasn't able to reproduce it in IE. Is it documented somewhere? Collin Jackson

Re: [whatwg] A potential slight security enhancement to postMessage

the message. There are a number of gotchas, which we think we've handled correctly, but it's hard to be sure. In the end, it would be much simpler and less error-prone to write this as a single line of code: frames[0].postMessage(message, theory.stanford.edu); Collin Jackson

Re: [whatwg] A potential slight security enhancement to postMessage

Here is a suggestion for a backwards-compatible addition to the postMessage specification: Currently postMessage is great for sending authenticated messages between frames. The receiver knows exactly where each message came from. However, it doesn't provide any confidentiality guarantees. When

Re: [whatwg] HTML5 frame navigation policy

On Oct 26, 2007 3:51 PM, Adam Barth [EMAIL PROTECTED] wrote: Collin Jackson and I have been looking at the frame navigation policy of various browsers and have a suggestion for improving the frame navigation policy in the HTML5 spec. As we understand the spec [1], it is stricter than IE7