[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Bill Frantz
frantz at pwpconsult.com
Wed Jul 8 17:31:29 EDT 2009
cap-talk at adambarth.com (Adam Barth) on Tuesday, July 7, 2009 wrote:
>Plugins can run arbitrary code on the user's machine. Considering
>what happens after the user install's the attacker's plugin isn't
>productive. The user has already lost all of their security.
This statement also applies to every application that the user installs.
Note that getting your software from a well known company doesn't offer a
guarantee of good behavior, as those who were willing to auto-run a CD from
Sony found out.
It seems to me the question here is, "Are there scenarios where a user and
a vendor C will be willing to conspire to violate the access policy between
sites A and B that CORS makes possible." If the only issues are economic
then it is reasonable to ask in addition whether the conspiracies will have
a significant economic effect.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | gets() remains as a monument | Periwinkle
(408)356-8506 | to C's continuing support of | 16345 Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032
More information about the cap-talk
mailing list