[Slow2Show] | Q: Why the name "Cross Site Scripting"? | A: This issue isn't just about scripting, and there isn't | necessarily anything cross site about it. So why the name? | It was coined earlier on when the problem was less | understood, and it stuck. I think the misuse of the term relates to the CERT advisory CA-2002-02, "Malicious HTML Tags Embedded in Client Web Requests" at http://www.cert.org/advisories/CA-2000-02.html The advisory talks about several ways to include script code in web pages. One way exploits browser vulnerabilities, in which browsers fail to make sure documents of different origins are not allowed to interfer with one another. The CERT advisory calls this particular problem "Cross-site Scripting". For some reason, the term is now used for every problem outlined by the CERT advisory (and then some). I may, of course, be totally wrong. :) Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 09:28:18 PDT