[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Update: Contributed doc. browser bindings incl. Shibboleth
Prateek, Although I share your concerns with the use of JavaScript, I believe this a since long lost case. There are *very* few that really turn off JavaScript as many sites simply do not work without it. There are AFAIK practically no proofs of successful attacks on browsing users although it has been explained how such attacks can be performed. Scipts in e-mail attachments that execute in the context of the user is an *entirely* different story. Anyway, "fat browser objects" do work (at the expense of an extra click by the user), even if JavaScript is disabled. I just did not include that part of the code as it looks a bit ugly :-) Anders ----- Original Message ----- From: "Mishra, Prateek" <pmishra@netegrity.com> To: "'Anders Rundgren'" <anders.rundgren@telia.com>; <security-services@lists.oasis-open.org> Sent: Thursday, August 02, 2001 22:13 Subject: RE: Update: Contributed doc. browser bindings incl. Shibboleth I would also view with great concern the use of Javascript. The security holes in the interaction between web browsers and Javascript are innumerable and continue to pop up every now and then. Take a look at http://polaris.umuc.edu/~mgaylor/jssecurity.html or indeed please search from google with the search pattern +security +javascript Certainly, many people would be concerned by its inclusion in a standard. I would argue that the SAML web browser profile should work with all scripting at the web browser turned off. - prateek >> >>> To what extent are they standard? >> >>It is an advanced use of existing standards including HTTP/S >>Base64, JavaScript, XML, PKI and HTML forms. >> >> ------------------------------------------------------------------ To unsubscribe from this elist send a message with the single word "unsubscribe" in the body to: security-services-request@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC