Re: web security happenings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/13/10 3:26 PM, Iljitsch van Beijnum wrote:
> On 13 jul 2010, at 18:49, Peter Saint-Andre wrote:
>
>> fun technologies like AJAX but also opens up the possibility for
>> new attacks (cross-site scripting, cross-site request forgery,
>> malvertising, clickjacking, and all the rest).
>
> Isn't this W3C stuff?


Peter Saint-Andre replied in part:
>
> Good question. We've had discussions about that with folks from the W3C
> and there's broad agreement that we'll divide up the work by having the
> IETF focus on topics that are more closely related to HTTP (e.g., new
> headers) and by having the W3C focus on topics that are more closely
> related to HTML and web browsers (e.g., Mozilla's Content Security
> Policy and the W3C's "Web Security Context: User Interface Guidelines"
> document).


See also this recent position paper by myself and Andy Steingruebl..

  The Need for Coherent Web Security Policy Framework(s)
  http://w2spconf.com/2010/papers/p11.pdf

..in Section 5 "How and where to organize the effort?" we discuss this overall question.

> But the exact dividing line for that division of labor is a good issue
> for discussion at the HASMAT BoF.

I suspect the dividing line won't be "exact" but rather is something that we'll need to decide on a case-by-case on-going basis.

Regardless, this overall topic area is one we (the greater Internet/Web community) needs to pay attention to.


HTH,

=JeffH
------
Internet Standards and Governance Team
PayPal Information Risk Management


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]