Open TallTed opened 3 months ago
Just adding link to existing discussion: Prevent or sanitise HTML on write by default for unauthenticated users https://github.com/CommunitySolidServer/CommunitySolidServer/issues/1596
Limiting writing of executable code should be included as a partial countermeasure, at least:
https://github.com/solid/security-considerations/blob/d2dc6d6725fc74904201bf5e9bd8d0c644334b56/index.bs#L112-L115
The first bullet under countermeasures is more of a vulnerability than a countermeasure, and should be moved.... or rephrased to focus on how "
same-origin
security boundaries" can work as a countermeasure.(The current point of the first bullet should be moved to the vulnerabilities section, or start a new section focusing on this vulnerability, if the document restructuring discussed previously is implemented.)
Having only one or two countermeasures seems insufficient for an entire section, meant to address all vulnerabilities. But having few countermeasures is fine if they are addressing a single vulnerability, as in the previously suggested restructuring.