Re: Whitepaper "SESSION RIDING - A Widespread Vulnerability in To day's Web Applications"

[Florian Weimer <fw () deneb enyo de>]

* Arian Evans:

> Maybe I was too critical in my initial response to Thomas's paper.
> I still do not believe we need a new term; this fixation on particulars
> (XSS, XST, XFS, XDS, etc.) is to my mind one of the main detractors
> to focusing on overall robust application design.

At some point, you simply have to face that it's impossible to write
robust web applications.  There are too many bugs and too many
questionable practices users have grown accustomed to, and have to be
supported.

What's worse is that browsers are *required* to leak plenty of data
between sites of varying trust.  You can't build a reliable
application on top of this foundation.