Re: [websec] Same Origins and email
Adam Barth <ietf@adambarth.com> Mon, 12 December 2011 21:06 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD94F21F867F for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 13:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QrlJ8YvvXhG for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 13:06:46 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 289BA21F8678 for <websec@ietf.org>; Mon, 12 Dec 2011 13:06:46 -0800 (PST)
Received: by qcsf15 with SMTP id f15so4679050qcs.31 for <websec@ietf.org>; Mon, 12 Dec 2011 13:06:44 -0800 (PST)
Received: by 10.50.87.167 with SMTP id az7mr16932735igb.64.1323724004344; Mon, 12 Dec 2011 13:06:44 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id l28sm77650841ibc.3.2011.12.12.13.06.42 (version=SSLv3 cipher=OTHER); Mon, 12 Dec 2011 13:06:42 -0800 (PST)
Received: by iaek3 with SMTP id k3so10893437iae.31 for <websec@ietf.org>; Mon, 12 Dec 2011 13:06:42 -0800 (PST)
Received: by 10.42.136.137 with SMTP id u9mr10409710ict.50.1323724002289; Mon, 12 Dec 2011 13:06:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.50.160.165 with HTTP; Mon, 12 Dec 2011 13:06:10 -0800 (PST)
In-Reply-To: <CAJE5ia-KTRVYO5p91oqLmW=DUCBasgYQc1d5QQSiEUgtLwunGA@mail.gmail.com>
References: <F5833273385BB34F99288B3648C4F06F19C6C15518@EXCH-C2.corp.cloudmark.com> <CAJE5ia8mDSjr6ww3uduUP_SQV2i9CB5cpuLDzL1tj8MvWb8PcA@mail.gmail.com> <F5833273385BB34F99288B3648C4F06F19C6C1551A@EXCH-C2.corp.cloudmark.com> <215EC5C2-A72E-461E-BF9E-1E291CDBD439@checkpoint.com> <CAJE5ia-GTD2GPxJw0KhPUjQQ9_Bhc4B7of2FAecBt9nZiKP27g@mail.gmail.com> <F5833273385BB34F99288B3648C4F06F19C6C1551D@EXCH-C2.corp.cloudmark.com> <CAJE5ia-KTRVYO5p91oqLmW=DUCBasgYQc1d5QQSiEUgtLwunGA@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 12 Dec 2011 13:06:10 -0800
Message-ID: <CAJE5ia9o9V-hMYtQ=FZPJ2qFJYRL0-x1-6VNQ3HL08-SgeqAbg@mail.gmail.com>
To: "Murray S. Kucherawy" <msk@cloudmark.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Same Origins and email
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 21:06:46 -0000
On Mon, Dec 12, 2011 at 11:52 AM, Adam Barth <ietf@adambarth.com> wrote: > On Mon, Dec 12, 2011 at 11:38 AM, Murray S. Kucherawy <msk@cloudmark.com> wrote: >>> -----Original Message----- >>> From: Adam Barth [mailto:ietf@adambarth.com] >>> Sent: Monday, December 12, 2011 11:35 AM >>> To: Yoav Nir >>> Cc: Murray S. Kucherawy; websec@ietf.org >>> Subject: Re: [websec] Same Origins and email >>> >>> The questions you're asking don't really have universal answers. >>> These behaviors aren't standardized and so are likely to vary from MUA >>> to MUA. >> >> I think that's why I'm asking the question. >> >> I wonder if it would be a useful area to explore in terms of standardization since MUA-based HTML pages suffer many of the same attacks as regular browsers do. That seems to be an attack surface that's largely unaddressed here. > > I ^^ don't :) > really have an opinion on that topic. If you'd like to move in that > direction, I'd recommend talking with implementors of MUAs to see if > they'd be interested in implementing such a standard. > > Adam
- [websec] Same Origins and email Murray S. Kucherawy
- Re: [websec] Same Origins and email Adam Barth
- Re: [websec] Same Origins and email Murray S. Kucherawy
- Re: [websec] Same Origins and email Yoav Nir
- Re: [websec] Same Origins and email Adam Barth
- Re: [websec] Same Origins and email Murray S. Kucherawy
- Re: [websec] Same Origins and email Murray S. Kucherawy
- Re: [websec] Same Origins and email Adam Barth
- Re: [websec] Same Origins and email =JeffH
- Re: [websec] Same Origins and email Adam Barth
- Re: [websec] Same Origins and email Adam Barth