ietf
[Top] [All Lists]

Re: web security happenings

2010-07-14 03:42:19
On 13 Jul 2010, at 22:54, Peter Saint-Andre wrote:

On 7/13/10 3:26 PM, Iljitsch van Beijnum wrote:
On 13 jul 2010, at 18:49, Peter Saint-Andre wrote:

fun technologies like AJAX but also opens up the possibility for
new attacks (cross-site scripting, cross-site request forgery,
malvertising, clickjacking, and all the rest).

Isn't this W3C stuff?

Good question. We've had discussions about that with folks from the W3C
and there's broad agreement that we'll divide up the work by having the
IETF focus on topics that are more closely related to HTTP (e.g., new
headers) and by having the W3C focus on topics that are more closely
related to HTML and web browsers (e.g., Mozilla's Content Security
Policy and the W3C's "Web Security Context: User Interface Guidelines"
document).

But the exact dividing line for that division of labor is a good issue
for discussion at the HASMAT BoF.


+1 to that.

There are pieces to this area of work (e.g., JeffH's proposed Simple Transport 
Security) that mostly relate to IETF protocols.

There are pieces (like CORS and UMP, aka "cross-site XMLHttpRequest") that are 
currently at W3C, are on the overlap between protocol work and the browser 
environment, and would benefit from IETF review.

There are other pieces to this work (e.g., controlling the security policies 
within HTML5) that seem essentially in scope for W3C.

To me, it indeed sounds like it would be useful to do this sort of work in 
close coordination between W3C and IETF.

Regards,
--
Thomas Roessler, W3C  <tlr(_at_)w3(_dot_)org>  (@roessler)




_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>