Re: [WEB SECURITY] RE: XSS-Phishing on Financial Sites (Tip of the iceberg)

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 6/28/06, RSnake <rsnake@xxxxxxxxxxxx> wrote:
> ... A more realistic problem is I actually _might_ want
> people to automatically send traffic to my comments function if someone
> eventually builds an application to forward requests to my page to make
> it easier for my users.  Again, you could argue that in that case I
> should explicitly allow that one referrer in, and I might agree, but
> wow... this is seeming like an administration nightmare, even on a small
> site like mine.

If you change your policy on who should and shouldn't be sending
requests to certain pages, you should expect that you will need to do
some work to make that policy take affect.  That's true no matter what
kind of enforcement mechanism you are using.  The more elaborate your
policy, the more work you are going to have to do to describe it.

Is the extra work required to enable the policy worth the trouble?  It
depends on the site.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]