OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Update: Contributed doc. browser bindings incl. Shibboleth


Prateek,
Although I share your concerns with the use of JavaScript, I believe
this a since long lost case.  There are *very* few that really turn off
JavaScript as many sites simply do not work without it.
There are AFAIK practically no proofs of successful attacks
on browsing users although it has been explained how such
attacks can be performed.  

Scipts in e-mail attachments that execute in the context of
the user is an *entirely* different story.

Anyway, "fat browser objects" do work (at the expense of
an extra click by the user), even if JavaScript is disabled.
I just did not include that part of the code as it looks a bit ugly :-)

Anders

----- Original Message ----- 
From: "Mishra, Prateek" <pmishra@netegrity.com>
To: "'Anders Rundgren'" <anders.rundgren@telia.com>; <security-services@lists.oasis-open.org>
Sent: Thursday, August 02, 2001 22:13
Subject: RE: Update: Contributed doc. browser bindings incl. Shibboleth


I would also view with great concern the use
of Javascript. The security holes in the interaction
between web browsers and Javascript are innumerable and continue
to pop up every now and then. Take a look at

   http://polaris.umuc.edu/~mgaylor/jssecurity.html

or indeed please search from google with the search pattern

+security +javascript


Certainly, many people would be concerned by
its inclusion in a standard. I would argue that the
SAML web browser profile should work with all scripting
at the web browser turned off.


- prateek


>>
>>> To what extent are they standard? 
>>
>>It is an advanced use of existing standards including HTTP/S
>>Base64, JavaScript, XML, PKI and HTML forms. 
>>
>>

------------------------------------------------------------------
To unsubscribe from this elist send a message with the single word
"unsubscribe" in the body to: security-services-request@lists.oasis-open.org



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC