Partial SOP Bypass via W3 Standards

# David Dworken (5 days ago)

I have discovered a partial SOP bypass that works in every browser due to a fundamental flaw in the W3 standards (for the time being, reach out to me individually if you need to see the proof of concept). Is this the correct place to open a discussion on how to fix or mitigate this flaw? Or is there a limited subset of trusted W3 members I should include in the discussion? Or should I send in bug reports to individual browser vendors?

Thanks, David Dworken

Contact us to advertise here
# Mike West (4 days ago)

I'd suggest filing bugs with vendors. For Chrome, that's bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug. We can coordinate cross-vendor discussions privately if necessary.

# Angelo Liao (4 days ago)

For security bugs on Edge/IE, you can email the secure@microsoft.comsecure@microsoft.com alias and we will respond accordingly. You can also submit bugs through developer.microsoft.com/en-us/microsoft-edge/platform/issues/.

From: Mike West [mailto:mkwst@google.com] Sent: Monday, September 11, 2017 7:24 AM To: David Dworken david@daviddworken.com; public-webappsec@w3.org Subject: Re: Partial SOP Bypass via W3 Standards

I'd suggest filing bugs with vendors. For Chrome, that's bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug. We can coordinate cross-vendor discussions privately if necessary.

On Mon 11. Sep 2017 at 16:07, David Dworken david@daviddworken.com<mailto:david@daviddworken.com> wrote: Hi,

I have discovered a partial SOP bypass that works in every browser due to a fundamental flaw in the W3 standards (for the time being, reach out to me individually if you need to see the proof of concept). Is this the correct place to open a discussion on how to fix or mitigate this flaw? Or is there a limited subset of trusted W3 members I should include in the discussion? Or should I send in bug reports to individual browser vendors?

Thanks, David Dworken

# John Wilander (4 days ago)

For Apple, you can report security and privacy issues over email to product-security@apple.com product-security@apple.com and use PGP to protect the information in-flight: support.apple.com/en-us/HT201214, [https://support.apple.com/en-us/HT201214](https://support.apple.com/en-us/HT201214).

For WebKit specifically, you can file a security bug here: bugs.webkit.org/enter_bug.cgi?product=Security, [https://bugs.webkit.org/enter_bug.cgi?product=Security](https://bugs.webkit.org/enter_bug.cgi?product=Security)

Regards, John

# Daniel Veditz (4 days ago)

For Firefox please file a security bug at bugzilla.mozilla.org, or email us at security@mozilla.org and use our PGP key to encrypt the contents www.mozilla.org/en-US/security/#pgpkey

When you file the bug please make sure to use the "this is a security bug" checkbox.

-Dan Veditz

On Sun, Sep 10, 2017 at 9:25 AM, David Dworken david@daviddworken.com

wrote:

# Angelo Liao (4 days ago)

The PGP key is here: technet.microsoft.com/en-us/security/dn606155.aspx

From: Angelo Liao Sent: Monday, September 11, 2017 10:35 AM To: 'Mike West' mkwst@google.com; David Dworken david@daviddworken.com; public-webappsec@w3.org Subject: RE: Partial SOP Bypass via W3 Standards

For security bugs on Edge/IE, you can email the secure@microsoft.comsecure@microsoft.com alias and we will respond accordingly. You can also submit bugs through developer.microsoft.com/en-us/microsoft-edge/platform/issues/.

From: Mike West [mailto:mkwst@google.com] Sent: Monday, September 11, 2017 7:24 AM To: David Dworken david@daviddworken.com<mailto:david@daviddworken.com>; public-webappsec@w3.orgpublic-webappsec@w3.org Subject: Re: Partial SOP Bypass via W3 Standards

I'd suggest filing bugs with vendors. For Chrome, that's bugs.chromium.org/p/chromium/issues/entry?template=Security%20Bug. We can coordinate cross-vendor discussions privately if necessary.

On Mon 11. Sep 2017 at 16:07, David Dworken david@daviddworken.com<mailto:david@daviddworken.com> wrote: Hi,

I have discovered a partial SOP bypass that works in every browser due to a fundamental flaw in the W3 standards (for the time being, reach out to me individually if you need to see the proof of concept). Is this the correct place to open a discussion on how to fix or mitigate this flaw? Or is there a limited subset of trusted W3 members I should include in the discussion? Or should I send in bug reports to individual browser vendors?

Thanks, David Dworken

# Yan Zhu (3 days ago)

For Brave, you can email me or file it at hackerone.com/brave.

Want more features?

Request early access to our private beta of readable email premium.