On 7/13/10 3:26 PM, Iljitsch van Beijnum wrote:
> On 13 jul 2010, at 18:49, Peter Saint-Andre wrote:
>
>> fun technologies like AJAX but also opens up the possibility for
>> new attacks (cross-site scripting, cross-site request forgery,
>> malvertising, clickjacking, and all the rest).
>
> Isn't this W3C stuff?
Peter Saint-Andre replied in part:
>
> Good question. We've had discussions about that with folks from the W3C
> and there's broad agreement that we'll divide up the work by having the
> IETF focus on topics that are more closely related to HTTP (e.g., new
> headers) and by having the W3C focus on topics that are more closely
> related to HTML and web browsers (e.g., Mozilla's Content Security
> Policy and the W3C's "Web Security Context: User Interface Guidelines"
> document).
See also this recent position paper by myself and Andy Steingruebl..
The Need for Coherent Web Security Policy Framework(s)
http://w2spconf.com/2010/papers/p11.pdf
..in Section 5 "How and where to organize the effort?" we discuss this overall
question.
> But the exact dividing line for that division of labor is a good issue
> for discussion at the HASMAT BoF.
I suspect the dividing line won't be "exact" but rather is something that we'll
need to decide on a case-by-case on-going basis.
Regardless, this overall topic area is one we (the greater Internet/Web
community) needs to pay attention to.
HTH,
=JeffH
------
Internet Standards and Governance Team
PayPal Information Risk Management
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf