IETF Logo Mail Archive

Re: [websec] Same Origins and email

Adam Barth <ietf@adambarth.com> Mon, 12 December 2011 19:53 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 046E521F85F1 for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 11:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95p9xeLNRjcZ for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 11:53:24 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8658621F8551 for <websec@ietf.org>; Mon, 12 Dec 2011 11:53:24 -0800 (PST)
Received: by yenm7 with SMTP id m7so5026701yen.31 for <websec@ietf.org>; Mon, 12 Dec 2011 11:53:23 -0800 (PST)
Received: by 10.236.79.38 with SMTP id h26mr28536867yhe.39.1323719603158; Mon, 12 Dec 2011 11:53:23 -0800 (PST)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by mx.google.com with ESMTPS id o50sm32332981yhl.9.2011.12.12.11.53.20 (version=SSLv3 cipher=OTHER); Mon, 12 Dec 2011 11:53:20 -0800 (PST)
Received: by qcsf15 with SMTP id f15so4600624qcs.31 for <websec@ietf.org>; Mon, 12 Dec 2011 11:53:19 -0800 (PST)
Received: by 10.50.196.196 with SMTP id io4mr16343062igc.55.1323719599409; Mon, 12 Dec 2011 11:53:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.159.138 with HTTP; Mon, 12 Dec 2011 11:52:47 -0800 (PST)
In-Reply-To: <F5833273385BB34F99288B3648C4F06F19C6C1551D@EXCH-C2.corp.cloudmark.com>
References: <F5833273385BB34F99288B3648C4F06F19C6C15518@EXCH-C2.corp.cloudmark.com> <CAJE5ia8mDSjr6ww3uduUP_SQV2i9CB5cpuLDzL1tj8MvWb8PcA@mail.gmail.com> <F5833273385BB34F99288B3648C4F06F19C6C1551A@EXCH-C2.corp.cloudmark.com> <215EC5C2-A72E-461E-BF9E-1E291CDBD439@checkpoint.com> <CAJE5ia-GTD2GPxJw0KhPUjQQ9_Bhc4B7of2FAecBt9nZiKP27g@mail.gmail.com> <F5833273385BB34F99288B3648C4F06F19C6C1551D@EXCH-C2.corp.cloudmark.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 12 Dec 2011 11:52:47 -0800
Message-ID: <CAJE5ia-KTRVYO5p91oqLmW=DUCBasgYQc1d5QQSiEUgtLwunGA@mail.gmail.com>
To: "Murray S. Kucherawy" <msk@cloudmark.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Same Origins and email
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 19:53:25 -0000

On Mon, Dec 12, 2011 at 11:38 AM, Murray S. Kucherawy <msk@cloudmark.com> wrote:
>> -----Original Message-----
>> From: Adam Barth [mailto:ietf@adambarth.com]
>> Sent: Monday, December 12, 2011 11:35 AM
>> To: Yoav Nir
>> Cc: Murray S. Kucherawy; websec@ietf.org
>> Subject: Re: [websec] Same Origins and email
>>
>> The questions you're asking don't really have universal answers.
>> These behaviors aren't standardized and so are likely to vary from MUA
>> to MUA.
>
> I think that's why I'm asking the question.
>
> I wonder if it would be a useful area to explore in terms of standardization since MUA-based HTML pages suffer many of the same attacks as regular browsers do.  That seems to be an attack surface that's largely unaddressed here.

I really have an opinion on that topic.  If you'd like to move in that
direction, I'd recommend talking with implementors of MUAs to see if
they'd be interested in implementing such a standard.

Adam

v2.23.0 | Report a Bug | By Email