<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_06_29_2048207</id>
	<title>New Firefox Standard Aims to Combat Cross-Site Scripting</title>
	<author>ScuttleMonkey</author>
	<datestamp>1246269960000</datestamp>
	<htmltext><a href="http://www.technologyreview.com/" rel="nofollow">Al</a> writes <i>"The Mozilla foundation is to adopt a new standard to help web sites <a href="http://www.technologyreview.com/computing/22940/">prevent cross site scripting attacks</a> (XSS). The standard, called <a href="http://people.mozilla.org/~bsterne/content-security-policy/">Content Security Policy</a>, will let a website specify what Internet domains are allowed to host the scripts that run on its pages. This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts. The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions. 'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the <a href="http://blog.mozilla.com/security/2009/06/19/shutting-down-xss-with-content-security-policy/">Mozilla Security Blog</a>. 'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'"</i></htmltext>
<tokenext>Al writes " The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks ( XSS ) .
The standard , called Content Security Policy , will let a website specify what Internet domains are allowed to host the scripts that run on its pages .
This breaks with Web browsers ' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts .
The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions .
'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites, ' Brandon Sterne , security program manager for Mozilla , wrote on the Mozilla Security Blog .
'If the cost versus benefit does n't make sense for some site , they 're free to keep doing business as usual .
' "</tokentext>
<sentencetext>Al writes "The Mozilla foundation is to adopt a new standard to help web sites prevent cross site scripting attacks (XSS).
The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages.
This breaks with Web browsers' tradition of treating all scripts the same way by requiring that websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts.
The Mozilla Foundation selected the implementation because it allows sites to choose whether to adopt the restrictions.
'The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites,' Brandon Sterne, security program manager for Mozilla, wrote on the Mozilla Security Blog.
'If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.
'"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521409</id>
	<title>Re:How does this change userland?</title>
	<author>oldhack</author>
	<datestamp>1246277280000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I second "yay!" for Noscript.  You have no idea how tangled commercial websites are until you use noscript.</htmltext>
<tokenext>I second " yay !
" for Noscript .
You have no idea how tangled commercial websites are until you use noscript .</tokentext>
<sentencetext>I second "yay!
" for Noscript.
You have no idea how tangled commercial websites are until you use noscript.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520999</id>
	<title>Headline: Google other ad publishers revenues drop</title>
	<author>rescendent</author>
	<datestamp>1246275060000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Presumably the millions of adsense and  publishers will have to enable their sites to maintain adverts..?

Might hit google revs a bit...</htmltext>
<tokenext>Presumably the millions of adsense and publishers will have to enable their sites to maintain adverts.. ?
Might hit google revs a bit.. .</tokentext>
<sentencetext>Presumably the millions of adsense and  publishers will have to enable their sites to maintain adverts..?
Might hit google revs a bit...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521259</id>
	<title>Massive Overkill</title>
	<author>butlerm</author>
	<datestamp>1246276560000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>This proposal looks like massive overkill to me.  Implementing the restriction on inline script tags is equivalent to saying - our web developers are incompetent and naive and cannot be trusted to take basic security measures, so we feel making our web development practices more cumbersome and inefficient (if not impossible) is a healthy trade off.</p><p>A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages, so that user entered html could easily be accepted under certain restrictions.  Most web logs do this already.</p><p>Alternatively a less draconian solution would be to allow inline scripts to execute if the script tag includes a response specific serialization value that is also present in the HTTP headers. 64 bit values would make forging a inline script essentially impossible, because there would only be a 1/2^64 probability of a subsequent accidental match.</p></htmltext>
<tokenext>This proposal looks like massive overkill to me .
Implementing the restriction on inline script tags is equivalent to saying - our web developers are incompetent and naive and can not be trusted to take basic security measures , so we feel making our web development practices more cumbersome and inefficient ( if not impossible ) is a healthy trade off.A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages , so that user entered html could easily be accepted under certain restrictions .
Most web logs do this already.Alternatively a less draconian solution would be to allow inline scripts to execute if the script tag includes a response specific serialization value that is also present in the HTTP headers .
64 bit values would make forging a inline script essentially impossible , because there would only be a 1/2 ^ 64 probability of a subsequent accidental match .</tokentext>
<sentencetext>This proposal looks like massive overkill to me.
Implementing the restriction on inline script tags is equivalent to saying - our web developers are incompetent and naive and cannot be trusted to take basic security measures, so we feel making our web development practices more cumbersome and inefficient (if not impossible) is a healthy trade off.A more effective program would be to develop and promote standardized html sanitization routines for popular web development languages, so that user entered html could easily be accepted under certain restrictions.
Most web logs do this already.Alternatively a less draconian solution would be to allow inline scripts to execute if the script tag includes a response specific serialization value that is also present in the HTTP headers.
64 bit values would make forging a inline script essentially impossible, because there would only be a 1/2^64 probability of a subsequent accidental match.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520951</id>
	<title>Some History</title>
	<author>eplawless</author>
	<datestamp>1246274820000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>I know there's been a lot of dialogue between the authors of <a href="http://www.ccsl.carleton.ca/software/soma/" title="carleton.ca" rel="nofollow">SOMA</a> [carleton.ca], which predates this, and the Mozilla team; it might provide some interesting context.</htmltext>
<tokenext>I know there 's been a lot of dialogue between the authors of SOMA [ carleton.ca ] , which predates this , and the Mozilla team ; it might provide some interesting context .</tokentext>
<sentencetext>I know there's been a lot of dialogue between the authors of SOMA [carleton.ca], which predates this, and the Mozilla team; it might provide some interesting context.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520979</id>
	<title>Re:as an end user</title>
	<author>sexconker</author>
	<datestamp>1246275000000</datestamp>
	<modclass>Funny</modclass>
	<modscore>1</modscore>
	<htmltext><p>As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit".<nobr> <wbr></nobr>...</p><p>Fuck.</p></htmltext>
<tokenext>As an end user I really hope that the sites I visit have a default policy of " we only serve up our own shit " .
...Fuck .</tokentext>
<sentencetext>As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit".
...Fuck.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523735</id>
	<title>XSS (Cross-Site Scripting) definition?</title>
	<author>jc42</author>
	<datestamp>1246291980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>So is there an official definition of "Cross-Site Scripting" somewhere?  Since that phrase started to be used in scary security stories a few years ago, I've been collecting the definitions that various stories provide, and I've been a bit disappointed.  Mostly, they aren't even "definitions", in the usual dictionary sense of the term.  I.e., I can't use most of the purported "definitions" to decide whether what I'm looking at is an instance of the phrase.  And in general, no two stories or sites seem to use similar definitions (when they actually give definitions at all).</p><p>My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".</p><p>So has some official organization defined the phrase?  If so, what makes them an authority?  And is there some way that I can tell when someone is using the official definition (if such exists), or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem?</p><p>I note that the definition associated with TFA isn't actually a definition.  And several other postings here have linked to sites that also give ambiguous non-definition definitions.</p><p>It sure seems there's something being talked about here, but it seems to suffer from the usual problem with security authorities, that they view me as an idiot who doesn't need to be informed about the subject matter; I only need to be scared (presumably so that I'll pay them to fix something that they've carefully made sure I can't understand clearly).</p><p>I'd think that security is an area where you'd want to be careful with your definitions and terminology.  But apparently I'm wrong.</p></htmltext>
<tokenext>So is there an official definition of " Cross-Site Scripting " somewhere ?
Since that phrase started to be used in scary security stories a few years ago , I 've been collecting the definitions that various stories provide , and I 've been a bit disappointed .
Mostly , they are n't even " definitions " , in the usual dictionary sense of the term .
I.e. , I ca n't use most of the purported " definitions " to decide whether what I 'm looking at is an instance of the phrase .
And in general , no two stories or sites seem to use similar definitions ( when they actually give definitions at all ) .My impression is that " Cross-Site Scripting " is an empty scare phrase that really just means " anything involving two different machines and a script -- whatever that may be " .So has some official organization defined the phrase ?
If so , what makes them an authority ?
And is there some way that I can tell when someone is using the official definition ( if such exists ) , or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem ? I note that the definition associated with TFA is n't actually a definition .
And several other postings here have linked to sites that also give ambiguous non-definition definitions.It sure seems there 's something being talked about here , but it seems to suffer from the usual problem with security authorities , that they view me as an idiot who does n't need to be informed about the subject matter ; I only need to be scared ( presumably so that I 'll pay them to fix something that they 've carefully made sure I ca n't understand clearly ) .I 'd think that security is an area where you 'd want to be careful with your definitions and terminology .
But apparently I 'm wrong .</tokentext>
<sentencetext>So is there an official definition of "Cross-Site Scripting" somewhere?
Since that phrase started to be used in scary security stories a few years ago, I've been collecting the definitions that various stories provide, and I've been a bit disappointed.
Mostly, they aren't even "definitions", in the usual dictionary sense of the term.
I.e., I can't use most of the purported "definitions" to decide whether what I'm looking at is an instance of the phrase.
And in general, no two stories or sites seem to use similar definitions (when they actually give definitions at all).My impression is that "Cross-Site Scripting" is an empty scare phrase that really just means "anything involving two different machines and a script -- whatever that may be".So has some official organization defined the phrase?
If so, what makes them an authority?
And is there some way that I can tell when someone is using the official definition (if such exists), or should I just continue to view the phrase as an attempt to scare readers without actually informing them about the problem?I note that the definition associated with TFA isn't actually a definition.
And several other postings here have linked to sites that also give ambiguous non-definition definitions.It sure seems there's something being talked about here, but it seems to suffer from the usual problem with security authorities, that they view me as an idiot who doesn't need to be informed about the subject matter; I only need to be scared (presumably so that I'll pay them to fix something that they've carefully made sure I can't understand clearly).I'd think that security is an area where you'd want to be careful with your definitions and terminology.
But apparently I'm wrong.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523681</id>
	<title>Re:This is great for Firefox users...</title>
	<author>dveditz</author>
	<datestamp>1246291380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Even if this was never implemented in any other browser sites still benefit through early detection of active attacks. If your site implements a security policy with a report URI then every Firefox visitor will be conducting a passive security scan on every page they visit, at least for the types of security problems CSP targets (primarily XSS).</p></htmltext>
<tokenext>Even if this was never implemented in any other browser sites still benefit through early detection of active attacks .
If your site implements a security policy with a report URI then every Firefox visitor will be conducting a passive security scan on every page they visit , at least for the types of security problems CSP targets ( primarily XSS ) .</tokentext>
<sentencetext>Even if this was never implemented in any other browser sites still benefit through early detection of active attacks.
If your site implements a security policy with a report URI then every Firefox visitor will be conducting a passive security scan on every page they visit, at least for the types of security problems CSP targets (primarily XSS).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521727</id>
	<title>Re:Use a file?</title>
	<author>michaelhood</author>
	<datestamp>1246278840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Oh, please don't do that. Don't assume that we have rights to that directory. I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.</p></div><p>You can do everything that you do with robots.txt via <a href="http://www.robotstxt.org/meta.html" title="robotstxt.org">robots meta tags</a> [robotstxt.org] and streamline their inclusion with some server-side scripts if so desired.</p></div>
	</htmltext>
<tokenext>Oh , please do n't do that .
Do n't assume that we have rights to that directory .
I already really really wish I could set robots.txt for just my subdirectory , but no can do since some semi-moron thought it would be a good idea to make me mail my school department 's webmaster to exclude part of my directory.You can do everything that you do with robots.txt via robots meta tags [ robotstxt.org ] and streamline their inclusion with some server-side scripts if so desired .</tokentext>
<sentencetext>Oh, please don't do that.
Don't assume that we have rights to that directory.
I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.You can do everything that you do with robots.txt via robots meta tags [robotstxt.org] and streamline their inclusion with some server-side scripts if so desired.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521095</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28537007</id>
	<title>Re:NOT a standard</title>
	<author>Simetrical</author>
	<datestamp>1246368780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The summary is wrong, this is NOT a standard in any way, or even a proposed standard.  This is a proprietary security feature being introduced by Firefox.  I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might).  But it is not a standard.</p></div><p>It's not a standard, but it's not proprietary either.  <i>Proprietary</i> means "owned by someone".  Perhaps the term you're looking for is <i>non-standard</i> or <i>vendor-specific</i>.</p></div>
	</htmltext>
<tokenext>The summary is wrong , this is NOT a standard in any way , or even a proposed standard .
This is a proprietary security feature being introduced by Firefox .
I 'm not saying this is a bad thing ( it 's not ) , or that this wo n't eventually become a de facto standard ( it might ) .
But it is not a standard.It 's not a standard , but it 's not proprietary either .
Proprietary means " owned by someone " .
Perhaps the term you 're looking for is non-standard or vendor-specific .</tokentext>
<sentencetext>The summary is wrong, this is NOT a standard in any way, or even a proposed standard.
This is a proprietary security feature being introduced by Firefox.
I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might).
But it is not a standard.It's not a standard, but it's not proprietary either.
Proprietary means "owned by someone".
Perhaps the term you're looking for is non-standard or vendor-specific.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521051</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521027</id>
	<title>Re:How does this change userland?</title>
	<author>hedwards</author>
	<datestamp>1246275240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Well, it irritates me to no end that there isn't a mandatory listing of all the sites that serve scripts for them complete with some sort of explanation.<br> <br>

I absolutely hate having to figure out which domain that I've blocked that will allow access to the content and which ones are dodgy. And further whether the site that's serving up the content is safe enough to allow.</htmltext>
<tokenext>Well , it irritates me to no end that there is n't a mandatory listing of all the sites that serve scripts for them complete with some sort of explanation .
I absolutely hate having to figure out which domain that I 've blocked that will allow access to the content and which ones are dodgy .
And further whether the site that 's serving up the content is safe enough to allow .</tokentext>
<sentencetext>Well, it irritates me to no end that there isn't a mandatory listing of all the sites that serve scripts for them complete with some sort of explanation.
I absolutely hate having to figure out which domain that I've blocked that will allow access to the content and which ones are dodgy.
And further whether the site that's serving up the content is safe enough to allow.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521171</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>EvanED</author>
	<datestamp>1246276020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><i>Don't depend on user-generated content, since it's shit.</i></p><p>Says the person providing user-generated content to a site that depends on it.</p></htmltext>
<tokenext>Do n't depend on user-generated content , since it 's shit.Says the person providing user-generated content to a site that depends on it .</tokentext>
<sentencetext>Don't depend on user-generated content, since it's shit.Says the person providing user-generated content to a site that depends on it.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526545</id>
	<title>Re:No more hacking anti piracy organizations?</title>
	<author>darthflo</author>
	<datestamp>1246367640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>We still can. The mentioned MAFIAA flaws are based on a vulnerability in server-side code. &lt;iframe [...]&gt; is posted as the search criteria and incorporated into the site output to the user. It's all HTTP (submitting the "evil" param") and HTML (returning a usable &lt;iframe&gt;.</p><p>The Firefox implementation "protects" only from scripts included via &lt;script src=..&gt; from another domain. Pure HTML (like above) or in-page scripts aren't blocked. In most* cases, that's a few minutes of extra work, tops; using the same vulnerability.</p><p>* Limitations include content filters (though allowing &lt;script&gt; yet blocking important JS keywords seems not that realistic to me), being vulnerable only to GET requests (limits script size to some 900 bytes; depending on implementation). A possible benefit (to the attacker) of including the script is being able to host it on a server he controls; thus the script can be changed while the attack is live and some tracking (how many people downloaded the script) can be done. OTOH, the attacker gets (more) trackable, too.</p></htmltext>
<tokenext>We still can .
The mentioned MAFIAA flaws are based on a vulnerability in server-side code .
is posted as the search criteria and incorporated into the site output to the user .
It 's all HTTP ( submitting the " evil " param " ) and HTML ( returning a usable .The Firefox implementation " protects " only from scripts included via from another domain .
Pure HTML ( like above ) or in-page scripts are n't blocked .
In most * cases , that 's a few minutes of extra work , tops ; using the same vulnerability .
* Limitations include content filters ( though allowing yet blocking important JS keywords seems not that realistic to me ) , being vulnerable only to GET requests ( limits script size to some 900 bytes ; depending on implementation ) .
A possible benefit ( to the attacker ) of including the script is being able to host it on a server he controls ; thus the script can be changed while the attack is live and some tracking ( how many people downloaded the script ) can be done .
OTOH , the attacker gets ( more ) trackable , too .</tokentext>
<sentencetext>We still can.
The mentioned MAFIAA flaws are based on a vulnerability in server-side code.
is posted as the search criteria and incorporated into the site output to the user.
It's all HTTP (submitting the "evil" param") and HTML (returning a usable .The Firefox implementation "protects" only from scripts included via  from another domain.
Pure HTML (like above) or in-page scripts aren't blocked.
In most* cases, that's a few minutes of extra work, tops; using the same vulnerability.
* Limitations include content filters (though allowing  yet blocking important JS keywords seems not that realistic to me), being vulnerable only to GET requests (limits script size to some 900 bytes; depending on implementation).
A possible benefit (to the attacker) of including the script is being able to host it on a server he controls; thus the script can be changed while the attack is live and some tracking (how many people downloaded the script) can be done.
OTOH, the attacker gets (more) trackable, too.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520821</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526107</id>
	<title>This is useless</title>
	<author>Anonymous</author>
	<datestamp>1246363080000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Adobe did the same thing to prevent actionscript cross site scripting. This bothered everyone, and now you have security.allowDomain = "*"; all over the internet<nobr> <wbr></nobr>....</p></htmltext>
<tokenext>Adobe did the same thing to prevent actionscript cross site scripting .
This bothered everyone , and now you have security.allowDomain = " * " ; all over the internet ... .</tokentext>
<sentencetext>Adobe did the same thing to prevent actionscript cross site scripting.
This bothered everyone, and now you have security.allowDomain = "*"; all over the internet ....</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28531171</id>
	<title>Re:as an end user</title>
	<author>FuzzyBad-Mofo</author>
	<datestamp>1246385700000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I surely hope NOT, as that would break any web site that uses JSON, Google-hosted scripts, etc.</p></htmltext>
<tokenext>I surely hope NOT , as that would break any web site that uses JSON , Google-hosted scripts , etc .</tokentext>
<sentencetext>I surely hope NOT, as that would break any web site that uses JSON, Google-hosted scripts, etc.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525117</id>
	<title>Next step</title>
	<author>chrysalis</author>
	<datestamp>1246393080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Next step: educate PHP users so that they have a clue about security?</p></htmltext>
<tokenext>Next step : educate PHP users so that they have a clue about security ?</tokentext>
<sentencetext>Next step: educate PHP users so that they have a clue about security?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525739</id>
	<title>"Disable JavaScript"</title>
	<author>Waccoon</author>
	<datestamp>1246357500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Well, it's about time somebody does <i>something</i>.  For years JavaScript has been an on/off affair, and it's been driving me nuts both as a web surfer and a developer.</p><p>They can do whatever they want for Joe Average to ensure advertisers won't complain, but please, can <i>I</i> have the ability to allow scripts to run only from the same domain as the originating page?  Please?  Just a simple checkbox will do, thank you.</p></htmltext>
<tokenext>Well , it 's about time somebody does something .
For years JavaScript has been an on/off affair , and it 's been driving me nuts both as a web surfer and a developer.They can do whatever they want for Joe Average to ensure advertisers wo n't complain , but please , can I have the ability to allow scripts to run only from the same domain as the originating page ?
Please ? Just a simple checkbox will do , thank you .</tokentext>
<sentencetext>Well, it's about time somebody does something.
For years JavaScript has been an on/off affair, and it's been driving me nuts both as a web surfer and a developer.They can do whatever they want for Joe Average to ensure advertisers won't complain, but please, can I have the ability to allow scripts to run only from the same domain as the originating page?
Please?  Just a simple checkbox will do, thank you.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521247</id>
	<title>Break Bookmarklets?</title>
	<author>zmnatz</author>
	<datestamp>1246276440000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Just wondering, wouldn't this break a lot of bookmarklets since they are essentially javascript being run from a different location on the site. Correct me if I'm wrong (I probably am). Just wondering</p></htmltext>
<tokenext>Just wondering , would n't this break a lot of bookmarklets since they are essentially javascript being run from a different location on the site .
Correct me if I 'm wrong ( I probably am ) .
Just wondering</tokentext>
<sentencetext>Just wondering, wouldn't this break a lot of bookmarklets since they are essentially javascript being run from a different location on the site.
Correct me if I'm wrong (I probably am).
Just wondering</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521725</id>
	<title>Re:Good idea</title>
	<author>CarpetShark</author>
	<datestamp>1246278840000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.</p></div></blockquote><p>From the summary:</p><blockquote><div><p>The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages.</p></div></blockquote><p>As long as this "standard" is the one called HyperText Markup Language, then this makes sense.  HTML is intended to say what scripts run on a page.  If that's broken, then the HTML  should be fixed.  Somehow I suspect it's not broken, but that developers' implementations of sites are.</p></div>
	</htmltext>
<tokenext>As long as this is n't something that can easily be compromised then I think this is an excellent way of handling the problem.From the summary : The standard , called Content Security Policy , will let a website specify what Internet domains are allowed to host the scripts that run on its pages.As long as this " standard " is the one called HyperText Markup Language , then this makes sense .
HTML is intended to say what scripts run on a page .
If that 's broken , then the HTML should be fixed .
Somehow I suspect it 's not broken , but that developers ' implementations of sites are .</tokentext>
<sentencetext>As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.From the summary:The standard, called Content Security Policy, will let a website specify what Internet domains are allowed to host the scripts that run on its pages.As long as this "standard" is the one called HyperText Markup Language, then this makes sense.
HTML is intended to say what scripts run on a page.
If that's broken, then the HTML  should be fixed.
Somehow I suspect it's not broken, but that developers' implementations of sites are.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520793</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787</id>
	<title>as an end user</title>
	<author>Anonymous</author>
	<datestamp>1246273980000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".</p></htmltext>
<tokenext>I really hope the default policy is " only allow scripts from the current domain " and " do not allow the site to override my choice " .</tokentext>
<sentencetext>I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522851</id>
	<title>Umm...</title>
	<author>Anonymous</author>
	<datestamp>1246285140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Why would anyone run cross site scripts *now*, except in clearly white-hat uses?</p></htmltext>
<tokenext>Why would anyone run cross site scripts * now * , except in clearly white-hat uses ?</tokentext>
<sentencetext>Why would anyone run cross site scripts *now*, except in clearly white-hat uses?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521307</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>jonbryce</author>
	<datestamp>1246276740000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>Don't depend on user-generated content, since it's shit.  If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.</p></div><p>I suggest you resign from Slashdot as soon as possible then<nobr> <wbr></nobr>...</p></div>
	</htmltext>
<tokenext>Do n't depend on user-generated content , since it 's shit .
If your site ca n't provide it 's own content , at least properly filter incoming user content down to plain ol ' text.I suggest you resign from Slashdot as soon as possible then .. .</tokentext>
<sentencetext>Don't depend on user-generated content, since it's shit.
If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.I suggest you resign from Slashdot as soon as possible then ...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521335</id>
	<title>Re:Yea. they are free. right.</title>
	<author>maxume</author>
	<datestamp>1246276920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>It will default to off. Defaulting to on would mean that offsite images would no longer load (nor would any content that is pulled from a CDN).</p></htmltext>
<tokenext>It will default to off .
Defaulting to on would mean that offsite images would no longer load ( nor would any content that is pulled from a CDN ) .</tokentext>
<sentencetext>It will default to off.
Defaulting to on would mean that offsite images would no longer load (nor would any content that is pulled from a CDN).</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28529323</id>
	<title>Re:as an end user</title>
	<author>tepples</author>
	<datestamp>1246380540000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit".</p></div><p>Then I guess you don't visit Wikipedia, eBay, or any other site that allows its subscribers to submit works to be displayed on the site.</p></div>
	</htmltext>
<tokenext>As an end user I really hope that the sites I visit have a default policy of " we only serve up our own shit " .Then I guess you do n't visit Wikipedia , eBay , or any other site that allows its subscribers to submit works to be displayed on the site .</tokentext>
<sentencetext>As an end user I really hope that the sites I visit have a default policy of "we only serve up our own shit".Then I guess you don't visit Wikipedia, eBay, or any other site that allows its subscribers to submit works to be displayed on the site.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520979</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524839</id>
	<title>Re:RFC?</title>
	<author>Joe Jay Bee</author>
	<datestamp>1246303080000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I was thinking the same thing. If this was Microsoft, Apple or even Google claiming a "new standard" based on a feature only they've adopted (and even created) they would quite rightly get chewed out. The only way something <i>anyone</i> does alone (especially if they're still the minority in terms of market share) could be considered a "standard" is if your attitude to language is exceptionally flexible.</p></htmltext>
<tokenext>I was thinking the same thing .
If this was Microsoft , Apple or even Google claiming a " new standard " based on a feature only they 've adopted ( and even created ) they would quite rightly get chewed out .
The only way something anyone does alone ( especially if they 're still the minority in terms of market share ) could be considered a " standard " is if your attitude to language is exceptionally flexible .</tokentext>
<sentencetext>I was thinking the same thing.
If this was Microsoft, Apple or even Google claiming a "new standard" based on a feature only they've adopted (and even created) they would quite rightly get chewed out.
The only way something anyone does alone (especially if they're still the minority in terms of market share) could be considered a "standard" is if your attitude to language is exceptionally flexible.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521611</id>
	<title>Re:This is great for Firefox users...</title>
	<author>Rangataua</author>
	<datestamp>1246278300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Eric Lawrence has already blogged on the IE Team blog in support of this approach: <a href="http://blogs.msdn.com/ie/archive/2009/06/25/declaring-security.aspx" title="msdn.com" rel="nofollow">http://blogs.msdn.com/ie/archive/2009/06/25/declaring-security.aspx</a> [msdn.com] so it is possible that CSP will be adopted more generally.</htmltext>
<tokenext>Eric Lawrence has already blogged on the IE Team blog in support of this approach : http : //blogs.msdn.com/ie/archive/2009/06/25/declaring-security.aspx [ msdn.com ] so it is possible that CSP will be adopted more generally .</tokentext>
<sentencetext>Eric Lawrence has already blogged on the IE Team blog in support of this approach: http://blogs.msdn.com/ie/archive/2009/06/25/declaring-security.aspx [msdn.com] so it is possible that CSP will be adopted more generally.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522319</id>
	<title>How do you code without any inline scripting?</title>
	<author>Anonymous</author>
	<datestamp>1246281960000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>How would you pass parameters to scripts? How would you do AJAX or DHTML stuff based on realtime data? I suppose you could wrap everything in semantic classes and data attributes containing JSON, hell even Javascript, and then include an external script that evals them all. Inline scripting through the backdoor. Is that what they want us to do? Or have an extra Javascript file with every HTML file?</p></htmltext>
<tokenext>How would you pass parameters to scripts ?
How would you do AJAX or DHTML stuff based on realtime data ?
I suppose you could wrap everything in semantic classes and data attributes containing JSON , hell even Javascript , and then include an external script that evals them all .
Inline scripting through the backdoor .
Is that what they want us to do ?
Or have an extra Javascript file with every HTML file ?</tokentext>
<sentencetext>How would you pass parameters to scripts?
How would you do AJAX or DHTML stuff based on realtime data?
I suppose you could wrap everything in semantic classes and data attributes containing JSON, hell even Javascript, and then include an external script that evals them all.
Inline scripting through the backdoor.
Is that what they want us to do?
Or have an extra Javascript file with every HTML file?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523703</id>
	<title>Re:How does this change userland?</title>
	<author>MikeFM</author>
	<datestamp>1246291680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I've been suggesting a fix like this for years but my suggested implementation let users have add further limitations. It's stupid not to let users tighten controls even if they can't make controls any weaker than the site has configured. You'll never have perfect security but at least this is a step in the right direction.</p></htmltext>
<tokenext>I 've been suggesting a fix like this for years but my suggested implementation let users have add further limitations .
It 's stupid not to let users tighten controls even if they ca n't make controls any weaker than the site has configured .
You 'll never have perfect security but at least this is a step in the right direction .</tokentext>
<sentencetext>I've been suggesting a fix like this for years but my suggested implementation let users have add further limitations.
It's stupid not to let users tighten controls even if they can't make controls any weaker than the site has configured.
You'll never have perfect security but at least this is a step in the right direction.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525231</id>
	<title>Re:Massive Overkill</title>
	<author>Anonymous</author>
	<datestamp>1246394100000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>You can't blame the web developers for everything on this one...  XSS attacks get into pages from many routes.  Here's the first three that come to mind: SQL injection, automated hacking script suites, virus compromised servers (eg, Fujacks family).</p><p>So, I see limiting domains that are allowed to run scripts as a good idea.  It may prove difficult to stop attackers that can already inject content into your pages from modifying the server config so that the their injected scripts are now from allowed sources.  But at least it's another barrier against a successful attack.</p></htmltext>
<tokenext>You ca n't blame the web developers for everything on this one... XSS attacks get into pages from many routes .
Here 's the first three that come to mind : SQL injection , automated hacking script suites , virus compromised servers ( eg , Fujacks family ) .So , I see limiting domains that are allowed to run scripts as a good idea .
It may prove difficult to stop attackers that can already inject content into your pages from modifying the server config so that the their injected scripts are now from allowed sources .
But at least it 's another barrier against a successful attack .</tokentext>
<sentencetext>You can't blame the web developers for everything on this one...  XSS attacks get into pages from many routes.
Here's the first three that come to mind: SQL injection, automated hacking script suites, virus compromised servers (eg, Fujacks family).So, I see limiting domains that are allowed to run scripts as a good idea.
It may prove difficult to stop attackers that can already inject content into your pages from modifying the server config so that the their injected scripts are now from allowed sources.
But at least it's another barrier against a successful attack.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521259</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521047</id>
	<title>A step in the right direction</title>
	<author>Ambush Commander</author>
	<datestamp>1246275360000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The first trap you will fall into thinking about this is that it should be the end-all security policy, and will solve our problems. It won't. That's not the intent, and also impossible given our diverse browser ecosystem.</p><p>The ability to tell the browser, via out-of-band, non XSS-able information, that certain scripts should not be executed, however, is a very powerful defense in depth measure, and makes it one step harder for attackers to make an attack work.</p><p>Security is a war of attrition. Bring it on.</p></htmltext>
<tokenext>The first trap you will fall into thinking about this is that it should be the end-all security policy , and will solve our problems .
It wo n't .
That 's not the intent , and also impossible given our diverse browser ecosystem.The ability to tell the browser , via out-of-band , non XSS-able information , that certain scripts should not be executed , however , is a very powerful defense in depth measure , and makes it one step harder for attackers to make an attack work.Security is a war of attrition .
Bring it on .</tokentext>
<sentencetext>The first trap you will fall into thinking about this is that it should be the end-all security policy, and will solve our problems.
It won't.
That's not the intent, and also impossible given our diverse browser ecosystem.The ability to tell the browser, via out-of-band, non XSS-able information, that certain scripts should not be executed, however, is a very powerful defense in depth measure, and makes it one step harder for attackers to make an attack work.Security is a war of attrition.
Bring it on.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523885</id>
	<title>Re:Yea. they are free. right.</title>
	<author>Anonymous</author>
	<datestamp>1246293480000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Sigh.  With a self-signed certificate, there is no guarentee that you have an encrypted session.  Hint:</p><p>Client  Malicious Proxy Server  Webserver</p><p>Nothing stops the Proxy from terminating the SSL connection, logging the (now decrypted) traffic, and then starting a new encrypted connection to the Webserver.</p><p>But if the certificate has to be signed, the Malicious Proxy cannot terminate an encrypted connection pretending to be from the Webserver, as it will not have a certificate that can be used to impersonate the webserver.</p></htmltext>
<tokenext>Sigh .
With a self-signed certificate , there is no guarentee that you have an encrypted session .
Hint : Client Malicious Proxy Server WebserverNothing stops the Proxy from terminating the SSL connection , logging the ( now decrypted ) traffic , and then starting a new encrypted connection to the Webserver.But if the certificate has to be signed , the Malicious Proxy can not terminate an encrypted connection pretending to be from the Webserver , as it will not have a certificate that can be used to impersonate the webserver .</tokentext>
<sentencetext>Sigh.
With a self-signed certificate, there is no guarentee that you have an encrypted session.
Hint:Client  Malicious Proxy Server  WebserverNothing stops the Proxy from terminating the SSL connection, logging the (now decrypted) traffic, and then starting a new encrypted connection to the Webserver.But if the certificate has to be signed, the Malicious Proxy cannot terminate an encrypted connection pretending to be from the Webserver, as it will not have a certificate that can be used to impersonate the webserver.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521113</id>
	<title>Standard?</title>
	<author>Anonymous</author>
	<datestamp>1246275720000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>More than a "Firefox standard", it seems to me that this is an extension. I'm all for it, but let's call things by their name.</p></htmltext>
<tokenext>More than a " Firefox standard " , it seems to me that this is an extension .
I 'm all for it , but let 's call things by their name .</tokentext>
<sentencetext>More than a "Firefox standard", it seems to me that this is an extension.
I'm all for it, but let's call things by their name.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28527759</id>
	<title>Re:as an end user</title>
	<author>SCHecklerX</author>
	<datestamp>1246374300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>After the stunt the noscript author pulled with adblock's filterset, I will never use it again.  It simply cannot be trusted.  It is malware.</p></htmltext>
<tokenext>After the stunt the noscript author pulled with adblock 's filterset , I will never use it again .
It simply can not be trusted .
It is malware .</tokentext>
<sentencetext>After the stunt the noscript author pulled with adblock's filterset, I will never use it again.
It simply cannot be trusted.
It is malware.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522949</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520821</id>
	<title>No more hacking anti piracy organizations?</title>
	<author>basementman</author>
	<datestamp>1246274280000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>0</modscore>
	<htmltext>So does this mean we can't hack anti piracy organizations any more?

<a href="http://torrentfreak.com/mpaa-website-now-with-torrents-090502/" title="torrentfreak.com">http://torrentfreak.com/mpaa-website-now-with-torrents-090502/</a> [torrentfreak.com]
<a href="http://torrentfreak.com/riaa-site-features-torrentfreaks-latest-news-090504/" title="torrentfreak.com">http://torrentfreak.com/riaa-site-features-torrentfreaks-latest-news-090504/</a> [torrentfreak.com]</htmltext>
<tokenext>So does this mean we ca n't hack anti piracy organizations any more ?
http : //torrentfreak.com/mpaa-website-now-with-torrents-090502/ [ torrentfreak.com ] http : //torrentfreak.com/riaa-site-features-torrentfreaks-latest-news-090504/ [ torrentfreak.com ]</tokentext>
<sentencetext>So does this mean we can't hack anti piracy organizations any more?
http://torrentfreak.com/mpaa-website-now-with-torrents-090502/ [torrentfreak.com]
http://torrentfreak.com/riaa-site-features-torrentfreaks-latest-news-090504/ [torrentfreak.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521679</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>sexconker</author>
	<datestamp>1246278660000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Why is this modded troll?</p><p>99.99999\% of attacks are the result of:</p><p>Malicious ads and clickthrough "offers" after a sale is processed<br>Vulnerabilities in PDF, Flash, etc.<br>Malicious content uploaded by users (javascript, sql injection, malformed jpegs, what have you)<br>Domain hijacking<br>General "LOL I GOT UR PASSWORD" shenanigans</p></htmltext>
<tokenext>Why is this modded troll ? 99.99999 \ % of attacks are the result of : Malicious ads and clickthrough " offers " after a sale is processedVulnerabilities in PDF , Flash , etc.Malicious content uploaded by users ( javascript , sql injection , malformed jpegs , what have you ) Domain hijackingGeneral " LOL I GOT UR PASSWORD " shenanigans</tokentext>
<sentencetext>Why is this modded troll?99.99999\% of attacks are the result of:Malicious ads and clickthrough "offers" after a sale is processedVulnerabilities in PDF, Flash, etc.Malicious content uploaded by users (javascript, sql injection, malformed jpegs, what have you)Domain hijackingGeneral "LOL I GOT UR PASSWORD" shenanigans</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520793</id>
	<title>Good idea</title>
	<author>thetoadwarrior</author>
	<datestamp>1246274040000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>0</modscore>
	<htmltext>As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.</htmltext>
<tokenext>As long as this is n't something that can easily be compromised then I think this is an excellent way of handling the problem .</tokentext>
<sentencetext>As long as this isn't something that can easily be compromised then I think this is an excellent way of handling the problem.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522935</id>
	<title>PLEASE GOD NOOO! ;)</title>
	<author>Hurricane78</author>
	<datestamp>1246285860000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>Please don't let this become the same horrors, that it is with plugins.</p><p>If you ever tried to add a applet or anything embedded into a site, that came from some other domain (like a mp3 stream), you will know what I am talking about.<br>It just gets blocked, except if you have a signed certificate and other shit, that you can only get for money. And then it is still a huge mess to set up.</p><p>In my eyes this stifled web technology quite a bit.</p><p>Additionally, what do you do, when you yourself have several domains and subdomains? Like a global domain for common things, like the base stylesheet and script libs, and a local domains, that use them. Etc.</p><p>It's good to make this safe. <strong>But it absolutely must be done right.</strong> Or else, there will be a giant mess.<nobr> <wbr></nobr>:/</p></htmltext>
<tokenext>Please do n't let this become the same horrors , that it is with plugins.If you ever tried to add a applet or anything embedded into a site , that came from some other domain ( like a mp3 stream ) , you will know what I am talking about.It just gets blocked , except if you have a signed certificate and other shit , that you can only get for money .
And then it is still a huge mess to set up.In my eyes this stifled web technology quite a bit.Additionally , what do you do , when you yourself have several domains and subdomains ?
Like a global domain for common things , like the base stylesheet and script libs , and a local domains , that use them .
Etc.It 's good to make this safe .
But it absolutely must be done right .
Or else , there will be a giant mess .
: /</tokentext>
<sentencetext>Please don't let this become the same horrors, that it is with plugins.If you ever tried to add a applet or anything embedded into a site, that came from some other domain (like a mp3 stream), you will know what I am talking about.It just gets blocked, except if you have a signed certificate and other shit, that you can only get for money.
And then it is still a huge mess to set up.In my eyes this stifled web technology quite a bit.Additionally, what do you do, when you yourself have several domains and subdomains?
Like a global domain for common things, like the base stylesheet and script libs, and a local domains, that use them.
Etc.It's good to make this safe.
But it absolutely must be done right.
Or else, there will be a giant mess.
:/</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521051</id>
	<title>NOT a standard</title>
	<author>Anonymous</author>
	<datestamp>1246275360000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>3</modscore>
	<htmltext>The summary is wrong, this is NOT a standard in any way, or even a proposed standard.  This is a proprietary security feature being introduced by Firefox.  I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might).  But it is not a standard.</htmltext>
<tokenext>The summary is wrong , this is NOT a standard in any way , or even a proposed standard .
This is a proprietary security feature being introduced by Firefox .
I 'm not saying this is a bad thing ( it 's not ) , or that this wo n't eventually become a de facto standard ( it might ) .
But it is not a standard .</tokentext>
<sentencetext>The summary is wrong, this is NOT a standard in any way, or even a proposed standard.
This is a proprietary security feature being introduced by Firefox.
I'm not saying this is a bad thing (it's not), or that this won't eventually become a de facto standard (it might).
But it is not a standard.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522949</id>
	<title>Re:as an end user</title>
	<author>Arker</author>
	<datestamp>1246285920000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p>I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".</p></div></blockquote><p>Noscript does this. </p><p>Which brings me to the observation that, at least as far as I can tell from the blurb, this entire thing sounds a bit redundant in light of the ready availability of Noscript. Why not just make it part of the default firefox install instead? </p></div>
	</htmltext>
<tokenext>I really hope the default policy is " only allow scripts from the current domain " and " do not allow the site to override my choice " .Noscript does this .
Which brings me to the observation that , at least as far as I can tell from the blurb , this entire thing sounds a bit redundant in light of the ready availability of Noscript .
Why not just make it part of the default firefox install instead ?</tokentext>
<sentencetext>I really hope the default policy is "only allow scripts from the current domain" and "do not allow the site to override my choice".Noscript does this.
Which brings me to the observation that, at least as far as I can tell from the blurb, this entire thing sounds a bit redundant in light of the ready availability of Noscript.
Why not just make it part of the default firefox install instead? 
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520905</id>
	<title>Use a file?</title>
	<author>Anonymous</author>
	<datestamp>1246274640000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>1</modscore>
	<htmltext>Instead of making me modify each file to send that header/meta tag, why not make it like the flash security files and just have a file in the root directory.</htmltext>
<tokenext>Instead of making me modify each file to send that header/meta tag , why not make it like the flash security files and just have a file in the root directory .</tokentext>
<sentencetext>Instead of making me modify each file to send that header/meta tag, why not make it like the flash security files and just have a file in the root directory.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521019</id>
	<title>Re:How does this change userland?</title>
	<author>TheRealMindChild</author>
	<datestamp>1246275180000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit</i> <br> <br>Dude. How are *you* going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com? Even if you are a lunatic and micromanage the trusted sources of these scripts, how would selectively running any of them do you any good? I would imagine almost all sites are going to break horribly of you only enable HALF of the scripts, where flat out disabling them/running all scripts will give you a working site.</htmltext>
<tokenext>I will still run with noscript installed because I 've yet to see a good XSS-preventing implementation that will allow * me * , as a user , to easily define what sites can run scripts on the sites I visit Dude .
How are * you * going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com ?
Even if you are a lunatic and micromanage the trusted sources of these scripts , how would selectively running any of them do you any good ?
I would imagine almost all sites are going to break horribly of you only enable HALF of the scripts , where flat out disabling them/running all scripts will give you a working site .</tokentext>
<sentencetext>I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit  Dude.
How are *you* going to know that it is ok to run scripts on Slashdot.org that originate from slashdotscripts.com and not scriptsforslashdot.com?
Even if you are a lunatic and micromanage the trusted sources of these scripts, how would selectively running any of them do you any good?
I would imagine almost all sites are going to break horribly of you only enable HALF of the scripts, where flat out disabling them/running all scripts will give you a working site.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521735</id>
	<title>Re:Yea. they are free. right.</title>
	<author>ZorinLynx</author>
	<datestamp>1246278900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Anyone doing business should have a legitimate SSL certificate for the site and not use a self-signed certificate. Anyone using a website should be wary of any business site using a self-signed certificate.</p><p>Self-signed certificates are okay for personal servers where you know you or a friend signed the cert, but if you're doing business it is a VERY BAD IDEA to use or trust self-signed certs. Firefox's behavior is correct in this regard.</p></htmltext>
<tokenext>Anyone doing business should have a legitimate SSL certificate for the site and not use a self-signed certificate .
Anyone using a website should be wary of any business site using a self-signed certificate.Self-signed certificates are okay for personal servers where you know you or a friend signed the cert , but if you 're doing business it is a VERY BAD IDEA to use or trust self-signed certs .
Firefox 's behavior is correct in this regard .</tokentext>
<sentencetext>Anyone doing business should have a legitimate SSL certificate for the site and not use a self-signed certificate.
Anyone using a website should be wary of any business site using a self-signed certificate.Self-signed certificates are okay for personal servers where you know you or a friend signed the cert, but if you're doing business it is a VERY BAD IDEA to use or trust self-signed certs.
Firefox's behavior is correct in this regard.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522375</id>
	<title>Re:How does this change userland?</title>
	<author>Anonymous</author>
	<datestamp>1246282260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>What irritates me is that all the browsers I've ever heard of run everything they can <i>by default</i>. The only distro coming even close to something sane is Gentoo with the "restrict-javascript" USE flag with firefox (that pulls in noscript, but still does not enable it by default).</p><p>Of course I can't know about everything, feel free to correct me.</p></htmltext>
<tokenext>What irritates me is that all the browsers I 've ever heard of run everything they can by default .
The only distro coming even close to something sane is Gentoo with the " restrict-javascript " USE flag with firefox ( that pulls in noscript , but still does not enable it by default ) .Of course I ca n't know about everything , feel free to correct me .</tokentext>
<sentencetext>What irritates me is that all the browsers I've ever heard of run everything they can by default.
The only distro coming even close to something sane is Gentoo with the "restrict-javascript" USE flag with firefox (that pulls in noscript, but still does not enable it by default).Of course I can't know about everything, feel free to correct me.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521027</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521031</id>
	<title>The Linux Party</title>
	<author>Anonymous</author>
	<datestamp>1246275240000</datestamp>
	<modclass>Offtopic</modclass>
	<modscore>-1</modscore>
	<htmltext><p> <a href="http://www.trollaxor.com/2001/12/linux-party.html" title="trollaxor.com" rel="nofollow">First, there was a plan: how to bring together the two different development groups at work? My boss said there was a sort of tension he thought could be eased by some social interaction. Not easy. Both the different development groups despised one another, each thinking its "art" was more important and eloquent than the others'.</a> [trollaxor.com] </p><p>First there was the XML group. They worked on our website, documentation and formatting, and simple configuration apps and some front-ends to Java stuff. They also did our web sites. They used CSS, HTML, XSL, JavaScript, and a bit of Java. They typically dressed casually, drank coffee and tea, and liked to work straight from the spec: no "Learn XSL in 30 Days" books were to be found in their cubicle farm.</p><p>Then we had the Linux developers. They worked "special hours," coming in at one and staying late, supposedly, until seven or eight at night. They enjoyed Bawls and had a penchant for ThinkGeek t-shirts and cracking jokes about Win32 API calls and the dreaded Blue Screen of Death. They all had beards or mullets or long, unwashed hair. Some had penguin or C code tattoos. Their cubicle farm was known for the bleating laughter that exploded when one of them found a silly bug on someone else's code, and for the rotten, fetid stench that could only be compared to three-day-old shit reeking from inside a rotting corpse's abdominal cavity.</p><p>So, in order to get the guys to get to know each other, my boss had asked me to organize a during-hours, alcohol-friendly party. My ideas ranged from a keg or two to live entertainment, AKA strippers. But as to what to get them to actually talk to each other in a human manner I had no clue. So I let it go til the last minute and decided to let my inherent creativity mull it over in the back of my head.</p><p>When the day of the party had arrived, the catering company brought in a few trays of lunch meat, chicken, pizza, and side dishes, I had picked up the four kegs from the local brewery, and the big-screen TV and DVD were set up ready to blast the Matrix into the eyes and ears of my co-workers. The eagerness in the the air was encouraging and I thought that loosening up and smiles going on even now were a good sign. I even saw some of the guys who'd known each other previously begin to bunch up, bringing along the co-workers they knew from everyday work.</p><p>The first thing everyone did was hit the food line, loading up their plates and grabbing a cup for beer to wash it down with. A few approached me and thanked me for the food; it seems appeasing the belly really did tame the beast. After a few minutes of silence and eating and a few second and third courses, they guys were ready to sit down and be entertained. After asking if anyone needed anything else before the movie started, the lights went out and the Matrix began playing. I heard a few enthusiastic comments and jokes being told.</p><p>About half-way through the movie I noticed a lot of the Linux guys getting up and presumably going to the restroom. No suprise, as the second keg was history by now and the third was probably half-way gone. I also noticed some of the guys bumping into things and stumbling. Alcohol's the social lubricant, eh? Well, not long after, my bladder beckoned and I answered. As I made my way to the restroom, I had a self-satisfied smile on my face: my little plan was working, my boss would be happy, and it might even a Christmas bonus or a promotion (even if in title only).</p><p>Well, as soon as I pushed the restroom door open, I knew something was wrong. The smell of vomit was pretty strong and I hoped that it'd only been the work of one guy. But the smell was so pungent! After standing at the urinal, waiting for the golden flow to commence, I stood in silence. It was then that I heard grunting. Listening intently for a few seconds, I hoped whoever was upchucking their beer and munchies wasn't leaving a huge mess for the cleanup crew. After pissing and still hearing the noise, I approached the stal</p></htmltext>
<tokenext>First , there was a plan : how to bring together the two different development groups at work ?
My boss said there was a sort of tension he thought could be eased by some social interaction .
Not easy .
Both the different development groups despised one another , each thinking its " art " was more important and eloquent than the others' .
[ trollaxor.com ] First there was the XML group .
They worked on our website , documentation and formatting , and simple configuration apps and some front-ends to Java stuff .
They also did our web sites .
They used CSS , HTML , XSL , JavaScript , and a bit of Java .
They typically dressed casually , drank coffee and tea , and liked to work straight from the spec : no " Learn XSL in 30 Days " books were to be found in their cubicle farm.Then we had the Linux developers .
They worked " special hours , " coming in at one and staying late , supposedly , until seven or eight at night .
They enjoyed Bawls and had a penchant for ThinkGeek t-shirts and cracking jokes about Win32 API calls and the dreaded Blue Screen of Death .
They all had beards or mullets or long , unwashed hair .
Some had penguin or C code tattoos .
Their cubicle farm was known for the bleating laughter that exploded when one of them found a silly bug on someone else 's code , and for the rotten , fetid stench that could only be compared to three-day-old shit reeking from inside a rotting corpse 's abdominal cavity.So , in order to get the guys to get to know each other , my boss had asked me to organize a during-hours , alcohol-friendly party .
My ideas ranged from a keg or two to live entertainment , AKA strippers .
But as to what to get them to actually talk to each other in a human manner I had no clue .
So I let it go til the last minute and decided to let my inherent creativity mull it over in the back of my head.When the day of the party had arrived , the catering company brought in a few trays of lunch meat , chicken , pizza , and side dishes , I had picked up the four kegs from the local brewery , and the big-screen TV and DVD were set up ready to blast the Matrix into the eyes and ears of my co-workers .
The eagerness in the the air was encouraging and I thought that loosening up and smiles going on even now were a good sign .
I even saw some of the guys who 'd known each other previously begin to bunch up , bringing along the co-workers they knew from everyday work.The first thing everyone did was hit the food line , loading up their plates and grabbing a cup for beer to wash it down with .
A few approached me and thanked me for the food ; it seems appeasing the belly really did tame the beast .
After a few minutes of silence and eating and a few second and third courses , they guys were ready to sit down and be entertained .
After asking if anyone needed anything else before the movie started , the lights went out and the Matrix began playing .
I heard a few enthusiastic comments and jokes being told.About half-way through the movie I noticed a lot of the Linux guys getting up and presumably going to the restroom .
No suprise , as the second keg was history by now and the third was probably half-way gone .
I also noticed some of the guys bumping into things and stumbling .
Alcohol 's the social lubricant , eh ?
Well , not long after , my bladder beckoned and I answered .
As I made my way to the restroom , I had a self-satisfied smile on my face : my little plan was working , my boss would be happy , and it might even a Christmas bonus or a promotion ( even if in title only ) .Well , as soon as I pushed the restroom door open , I knew something was wrong .
The smell of vomit was pretty strong and I hoped that it 'd only been the work of one guy .
But the smell was so pungent !
After standing at the urinal , waiting for the golden flow to commence , I stood in silence .
It was then that I heard grunting .
Listening intently for a few seconds , I hoped whoever was upchucking their beer and munchies was n't leaving a huge mess for the cleanup crew .
After pissing and still hearing the noise , I approached the stal</tokentext>
<sentencetext> First, there was a plan: how to bring together the two different development groups at work?
My boss said there was a sort of tension he thought could be eased by some social interaction.
Not easy.
Both the different development groups despised one another, each thinking its "art" was more important and eloquent than the others'.
[trollaxor.com] First there was the XML group.
They worked on our website, documentation and formatting, and simple configuration apps and some front-ends to Java stuff.
They also did our web sites.
They used CSS, HTML, XSL, JavaScript, and a bit of Java.
They typically dressed casually, drank coffee and tea, and liked to work straight from the spec: no "Learn XSL in 30 Days" books were to be found in their cubicle farm.Then we had the Linux developers.
They worked "special hours," coming in at one and staying late, supposedly, until seven or eight at night.
They enjoyed Bawls and had a penchant for ThinkGeek t-shirts and cracking jokes about Win32 API calls and the dreaded Blue Screen of Death.
They all had beards or mullets or long, unwashed hair.
Some had penguin or C code tattoos.
Their cubicle farm was known for the bleating laughter that exploded when one of them found a silly bug on someone else's code, and for the rotten, fetid stench that could only be compared to three-day-old shit reeking from inside a rotting corpse's abdominal cavity.So, in order to get the guys to get to know each other, my boss had asked me to organize a during-hours, alcohol-friendly party.
My ideas ranged from a keg or two to live entertainment, AKA strippers.
But as to what to get them to actually talk to each other in a human manner I had no clue.
So I let it go til the last minute and decided to let my inherent creativity mull it over in the back of my head.When the day of the party had arrived, the catering company brought in a few trays of lunch meat, chicken, pizza, and side dishes, I had picked up the four kegs from the local brewery, and the big-screen TV and DVD were set up ready to blast the Matrix into the eyes and ears of my co-workers.
The eagerness in the the air was encouraging and I thought that loosening up and smiles going on even now were a good sign.
I even saw some of the guys who'd known each other previously begin to bunch up, bringing along the co-workers they knew from everyday work.The first thing everyone did was hit the food line, loading up their plates and grabbing a cup for beer to wash it down with.
A few approached me and thanked me for the food; it seems appeasing the belly really did tame the beast.
After a few minutes of silence and eating and a few second and third courses, they guys were ready to sit down and be entertained.
After asking if anyone needed anything else before the movie started, the lights went out and the Matrix began playing.
I heard a few enthusiastic comments and jokes being told.About half-way through the movie I noticed a lot of the Linux guys getting up and presumably going to the restroom.
No suprise, as the second keg was history by now and the third was probably half-way gone.
I also noticed some of the guys bumping into things and stumbling.
Alcohol's the social lubricant, eh?
Well, not long after, my bladder beckoned and I answered.
As I made my way to the restroom, I had a self-satisfied smile on my face: my little plan was working, my boss would be happy, and it might even a Christmas bonus or a promotion (even if in title only).Well, as soon as I pushed the restroom door open, I knew something was wrong.
The smell of vomit was pretty strong and I hoped that it'd only been the work of one guy.
But the smell was so pungent!
After standing at the urinal, waiting for the golden flow to commence, I stood in silence.
It was then that I heard grunting.
Listening intently for a few seconds, I hoped whoever was upchucking their beer and munchies wasn't leaving a huge mess for the cleanup crew.
After pissing and still hearing the noise, I approached the stal</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521045</id>
	<title>Re:Managers</title>
	<author>EvanED</author>
	<datestamp>1246275300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If you'll notice, CSS was already taken for web-stuff, and X often means "cross", so it does actually make sense.</p></htmltext>
<tokenext>If you 'll notice , CSS was already taken for web-stuff , and X often means " cross " , so it does actually make sense .</tokentext>
<sentencetext>If you'll notice, CSS was already taken for web-stuff, and X often means "cross", so it does actually make sense.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520811</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521523</id>
	<title>eBay and MySpace?</title>
	<author>POWRSURG</author>
	<datestamp>1246277880000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>CSP is effectively server-side NoScript. And it isn't exactly new either. This has been in development as a Firefox extension for at least a year. The article mentions it being first crafted back in 2005.</p><p>The issue I take with this article is that they suggest this feature could even possibly be integrated into eBay or MySpace. These two giants seem like the exact opposite type of market that would use this -- any site that allows users to post their own data is not going to possibly survive the wrath they would catch if users had to explicitly allow the domains they want scripts to run on. For a corporate Web site yes, but for something for the masses or those of us that run a CMS? I don't see that as happening anytime soon.</p></htmltext>
<tokenext>CSP is effectively server-side NoScript .
And it is n't exactly new either .
This has been in development as a Firefox extension for at least a year .
The article mentions it being first crafted back in 2005.The issue I take with this article is that they suggest this feature could even possibly be integrated into eBay or MySpace .
These two giants seem like the exact opposite type of market that would use this -- any site that allows users to post their own data is not going to possibly survive the wrath they would catch if users had to explicitly allow the domains they want scripts to run on .
For a corporate Web site yes , but for something for the masses or those of us that run a CMS ?
I do n't see that as happening anytime soon .</tokentext>
<sentencetext>CSP is effectively server-side NoScript.
And it isn't exactly new either.
This has been in development as a Firefox extension for at least a year.
The article mentions it being first crafted back in 2005.The issue I take with this article is that they suggest this feature could even possibly be integrated into eBay or MySpace.
These two giants seem like the exact opposite type of market that would use this -- any site that allows users to post their own data is not going to possibly survive the wrath they would catch if users had to explicitly allow the domains they want scripts to run on.
For a corporate Web site yes, but for something for the masses or those of us that run a CMS?
I don't see that as happening anytime soon.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523309</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>Runaway1956</author>
	<datestamp>1246288380000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>Sexconker is modded a troll - quite unfairly.  Cross site scripting sucks.  Simple as that.  I go to a site, first thing I see is noscript's popup message that anywhere between 2 and 20 sites want to run scripts in my browser.  I click the popup, to see WHO wants to run scripts.  Sometimes, it's easy to see who wants to do what, and deciding to allow site a, but not site b is quite simple.</p><p>Often enough, it's just not that simple.  I want to see some stupid flash presentation, and the only way to see it is to enable flash.  Unfortunately, three different sites are offering a flash.  Which one do I want?  I choose one to be allowed, and I get rickrolled.</p><p>That is hamshite.  Nothing more, and nothing less.  The original site should be hosting it's own material, or they should supply the link to see the flash presentation.  Cross site scripting is a ripoff that just helps to confuse the security conscious.  And, God knows there are far to few users who are conscious.  (I'd like to see a scientific poll that demonstrates just how many users really are brain dead - it has to be over 20\%, and might be over 50\%)</p></htmltext>
<tokenext>Sexconker is modded a troll - quite unfairly .
Cross site scripting sucks .
Simple as that .
I go to a site , first thing I see is noscript 's popup message that anywhere between 2 and 20 sites want to run scripts in my browser .
I click the popup , to see WHO wants to run scripts .
Sometimes , it 's easy to see who wants to do what , and deciding to allow site a , but not site b is quite simple.Often enough , it 's just not that simple .
I want to see some stupid flash presentation , and the only way to see it is to enable flash .
Unfortunately , three different sites are offering a flash .
Which one do I want ?
I choose one to be allowed , and I get rickrolled.That is hamshite .
Nothing more , and nothing less .
The original site should be hosting it 's own material , or they should supply the link to see the flash presentation .
Cross site scripting is a ripoff that just helps to confuse the security conscious .
And , God knows there are far to few users who are conscious .
( I 'd like to see a scientific poll that demonstrates just how many users really are brain dead - it has to be over 20 \ % , and might be over 50 \ % )</tokentext>
<sentencetext>Sexconker is modded a troll - quite unfairly.
Cross site scripting sucks.
Simple as that.
I go to a site, first thing I see is noscript's popup message that anywhere between 2 and 20 sites want to run scripts in my browser.
I click the popup, to see WHO wants to run scripts.
Sometimes, it's easy to see who wants to do what, and deciding to allow site a, but not site b is quite simple.Often enough, it's just not that simple.
I want to see some stupid flash presentation, and the only way to see it is to enable flash.
Unfortunately, three different sites are offering a flash.
Which one do I want?
I choose one to be allowed, and I get rickrolled.That is hamshite.
Nothing more, and nothing less.
The original site should be hosting it's own material, or they should supply the link to see the flash presentation.
Cross site scripting is a ripoff that just helps to confuse the security conscious.
And, God knows there are far to few users who are conscious.
(I'd like to see a scientific poll that demonstrates just how many users really are brain dead - it has to be over 20\%, and might be over 50\%)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526951</id>
	<title>Re:How does this change userland?</title>
	<author>Anonymous</author>
	<datestamp>1246370580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><blockquote><div><p>Of course, I'm slightly paranoid. [...] And for security-critical sites like banks, this is a good thing...</p></div></blockquote><p>Of course, I'm slightly paranoid, too. That aside, for security-critical sites like banks, there is no such thing as a good dependency on JavaScript. These banks teach their users to behave insecurely:</p><p><tt>1. Please, behave securely, have some tea and<br>
&nbsp; antivirus installed, don't tell anybody your<br>
&nbsp; PIN. Update you system and browser regularly.<br>
&nbsp; Now, proceed to log in.<br>2. [Login doesn't work]<br>3. In order to use this site, please allow JavaScript.<br>4. [Login doesn't work]<br>
&nbsp; &nbsp; &nbsp; &nbsp; 5. DAMN1 ALLOW jAVAsCRIPT111[1]<br>6. [Stupid user allows JavaScript globally]<br>5. Profit!</tt></p><p>[1] Caps-Lock pun indented<nobr> <wbr></nobr>...</p></div>
	</htmltext>
<tokenext>Of course , I 'm slightly paranoid .
[ ... ] And for security-critical sites like banks , this is a good thing...Of course , I 'm slightly paranoid , too .
That aside , for security-critical sites like banks , there is no such thing as a good dependency on JavaScript .
These banks teach their users to behave insecurely : 1 .
Please , behave securely , have some tea and   antivirus installed , do n't tell anybody your   PIN .
Update you system and browser regularly .
  Now , proceed to log in.2 .
[ Login does n't work ] 3 .
In order to use this site , please allow JavaScript.4 .
[ Login does n't work ]         5 .
DAMN1 ALLOW jAVAsCRIPT111 [ 1 ] 6 .
[ Stupid user allows JavaScript globally ] 5 .
Profit ! [ 1 ] Caps-Lock pun indented .. .</tokentext>
<sentencetext>Of course, I'm slightly paranoid.
[...] And for security-critical sites like banks, this is a good thing...Of course, I'm slightly paranoid, too.
That aside, for security-critical sites like banks, there is no such thing as a good dependency on JavaScript.
These banks teach their users to behave insecurely:1.
Please, behave securely, have some tea and
  antivirus installed, don't tell anybody your
  PIN.
Update you system and browser regularly.
  Now, proceed to log in.2.
[Login doesn't work]3.
In order to use this site, please allow JavaScript.4.
[Login doesn't work]
        5.
DAMN1 ALLOW jAVAsCRIPT111[1]6.
[Stupid user allows JavaScript globally]5.
Profit![1] Caps-Lock pun indented ...
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522393</id>
	<title>Re:RFC?</title>
	<author>blair1q</author>
	<datestamp>1246282380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Bill and Paul made about $100 billion and their bugs have become the standard that most "standards" can't dislodge.</p><p>Anyone can proclaim a "standard", recall what "RFC" stands for? It's not "peer-reviewed and passed by governing bodies."</p><p>If Mozilla is saying this is how they're building it into the code base, W3C can ignore it, but it's W3C who won't be compatible with what is standard.</p></htmltext>
<tokenext>Bill and Paul made about $ 100 billion and their bugs have become the standard that most " standards " ca n't dislodge.Anyone can proclaim a " standard " , recall what " RFC " stands for ?
It 's not " peer-reviewed and passed by governing bodies .
" If Mozilla is saying this is how they 're building it into the code base , W3C can ignore it , but it 's W3C who wo n't be compatible with what is standard .</tokentext>
<sentencetext>Bill and Paul made about $100 billion and their bugs have become the standard that most "standards" can't dislodge.Anyone can proclaim a "standard", recall what "RFC" stands for?
It's not "peer-reviewed and passed by governing bodies.
"If Mozilla is saying this is how they're building it into the code base, W3C can ignore it, but it's W3C who won't be compatible with what is standard.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</id>
	<title>How does this change userland?</title>
	<author>Anonymous</author>
	<datestamp>1246274280000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit.  And when I visit a site where I need to disable noscript, I have no other tabs/browsers open.<br> <br>I'm sorry, but NO site can be trusted 100\% from a user's perspective... and giving site owners the tools to help prevent XSS from their side doesn't help with the fact that users still shouldn't trust absolutely.<br> <br>The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.<br> <br>Of course, I'm slightly paranoid.  And of course, this isn't transparent to Joe Sixpack, so he's going to trust|!trust based on whatever it is he's basing it on now.  And for security-critical sites like banks, this is a good thing... but I try very hard to make sure my friends &amp; family are a bit paranoid too, so they'll take precautions.</htmltext>
<tokenext>I will still run with noscript installed because I 've yet to see a good XSS-preventing implementation that will allow * me * , as a user , to easily define what sites can run scripts on the sites I visit .
And when I visit a site where I need to disable noscript , I have no other tabs/browsers open .
I 'm sorry , but NO site can be trusted 100 \ % from a user 's perspective... and giving site owners the tools to help prevent XSS from their side does n't help with the fact that users still should n't trust absolutely .
The reason something like this scares me is that it lulls users into a higher level of trust... and does n't protect them from hacked sites , or sites that choose not to implement this .
Of course , I 'm slightly paranoid .
And of course , this is n't transparent to Joe Sixpack , so he 's going to trust | ! trust based on whatever it is he 's basing it on now .
And for security-critical sites like banks , this is a good thing... but I try very hard to make sure my friends &amp; family are a bit paranoid too , so they 'll take precautions .</tokentext>
<sentencetext>I will still run with noscript installed because I've yet to see a good XSS-preventing implementation that will allow *me*, as a user, to easily define what sites can run scripts on the sites I visit.
And when I visit a site where I need to disable noscript, I have no other tabs/browsers open.
I'm sorry, but NO site can be trusted 100\% from a user's perspective... and giving site owners the tools to help prevent XSS from their side doesn't help with the fact that users still shouldn't trust absolutely.
The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.
Of course, I'm slightly paranoid.
And of course, this isn't transparent to Joe Sixpack, so he's going to trust|!trust based on whatever it is he's basing it on now.
And for security-critical sites like banks, this is a good thing... but I try very hard to make sure my friends &amp; family are a bit paranoid too, so they'll take precautions.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</id>
	<title>Old Standard to Prevent All Attacks</title>
	<author>sexconker</author>
	<datestamp>1246274760000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>Don't let other people serve content via your site.</p><p>Don't rely on shitty plugins from security failures such as Adobe.</p><p>Don't depend on user-generated content, since it's shit.  If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.</p><p>Don't sign up with a shitty registrar who will transfer your domain/dns/mx records to some slut like godaddy at the drop of a hat.</p><p>Don't give people the password to your account at your host/registrar, and don't give people access to your fucking ftp/ssh/direct/etc. accounts for your server.</p></htmltext>
<tokenext>Do n't let other people serve content via your site.Do n't rely on shitty plugins from security failures such as Adobe.Do n't depend on user-generated content , since it 's shit .
If your site ca n't provide it 's own content , at least properly filter incoming user content down to plain ol ' text.Do n't sign up with a shitty registrar who will transfer your domain/dns/mx records to some slut like godaddy at the drop of a hat.Do n't give people the password to your account at your host/registrar , and do n't give people access to your fucking ftp/ssh/direct/etc .
accounts for your server .</tokentext>
<sentencetext>Don't let other people serve content via your site.Don't rely on shitty plugins from security failures such as Adobe.Don't depend on user-generated content, since it's shit.
If your site can't provide it's own content, at least properly filter incoming user content down to plain ol' text.Don't sign up with a shitty registrar who will transfer your domain/dns/mx records to some slut like godaddy at the drop of a hat.Don't give people the password to your account at your host/registrar, and don't give people access to your fucking ftp/ssh/direct/etc.
accounts for your server.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521287</id>
	<title>Re:How does this change userland?</title>
	<author>Jherek Carnelian</author>
	<datestamp>1246276680000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Indeed, I wish noscript would allow me to whitelist domains and even specific scripts on a per-site basis.  So, for example, I could whitelist maps.google.com's use of javascript from gstatic.com but not allow any other sites, like images.google.com, to pull in javascript from gstatic.com.</p></htmltext>
<tokenext>Indeed , I wish noscript would allow me to whitelist domains and even specific scripts on a per-site basis .
So , for example , I could whitelist maps.google.com 's use of javascript from gstatic.com but not allow any other sites , like images.google.com , to pull in javascript from gstatic.com .</tokentext>
<sentencetext>Indeed, I wish noscript would allow me to whitelist domains and even specific scripts on a per-site basis.
So, for example, I could whitelist maps.google.com's use of javascript from gstatic.com but not allow any other sites, like images.google.com, to pull in javascript from gstatic.com.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521461</id>
	<title>Re:This is great for Firefox users...</title>
	<author>Vectronic</author>
	<datestamp>1246277580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>IE has an XSS Filter... I don't use IE enough to have bothered to investigate it though, otherwise Opera, Safari, Chrome, don't seem to be doing anything special about XSS, at least not advertising it, other than patching their own vulnerabilities against a few known methods.</p></htmltext>
<tokenext>IE has an XSS Filter... I do n't use IE enough to have bothered to investigate it though , otherwise Opera , Safari , Chrome , do n't seem to be doing anything special about XSS , at least not advertising it , other than patching their own vulnerabilities against a few known methods .</tokentext>
<sentencetext>IE has an XSS Filter... I don't use IE enough to have bothered to investigate it though, otherwise Opera, Safari, Chrome, don't seem to be doing anything special about XSS, at least not advertising it, other than patching their own vulnerabilities against a few known methods.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179</id>
	<title>RFC?</title>
	<author>Midnight Thunder</author>
	<datestamp>1246276020000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext><p>Is this 'standard' endorsed by anyone else or written up as part of an RFC? Calling something a standard when you are the only guys doing sounds like a certain company that was started by Bill and Paul.</p><p>I am not trying to troll here, since I am all for the solution, I am just ensuring that this properly documented and shared by the right entities (think W3C).</p></htmltext>
<tokenext>Is this 'standard ' endorsed by anyone else or written up as part of an RFC ?
Calling something a standard when you are the only guys doing sounds like a certain company that was started by Bill and Paul.I am not trying to troll here , since I am all for the solution , I am just ensuring that this properly documented and shared by the right entities ( think W3C ) .</tokentext>
<sentencetext>Is this 'standard' endorsed by anyone else or written up as part of an RFC?
Calling something a standard when you are the only guys doing sounds like a certain company that was started by Bill and Paul.I am not trying to troll here, since I am all for the solution, I am just ensuring that this properly documented and shared by the right entities (think W3C).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155</id>
	<title>Yea. they are free. right.</title>
	<author>unity100</author>
	<datestamp>1246275960000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>just like they have forced the 'humongous, scary ssl warning error' instead of the previous acceptable and understandable error message. it forced a lot of small businesses who used the certificates they themselves signed to buy 3rd party certificates from vendors. again with this change, all small businesses will have to spend more on web development charges, because most end users will set their firefox to the prevent setting for this new feature. the 'free to do business is usual' bit is bullshit. remember, say the word 'security', and you can even sell wars to people. so dont feed the 'free to do business as usual' bullshit to anyone.</p><p>one thing that is most damaging to us open source crowd is being too self righteous and jacobin. it starts to hurt us again as time passes and projects develops. this time its happening with firefox.</p></htmltext>
<tokenext>just like they have forced the 'humongous , scary ssl warning error ' instead of the previous acceptable and understandable error message .
it forced a lot of small businesses who used the certificates they themselves signed to buy 3rd party certificates from vendors .
again with this change , all small businesses will have to spend more on web development charges , because most end users will set their firefox to the prevent setting for this new feature .
the 'free to do business is usual ' bit is bullshit .
remember , say the word 'security ' , and you can even sell wars to people .
so dont feed the 'free to do business as usual ' bullshit to anyone.one thing that is most damaging to us open source crowd is being too self righteous and jacobin .
it starts to hurt us again as time passes and projects develops .
this time its happening with firefox .</tokentext>
<sentencetext>just like they have forced the 'humongous, scary ssl warning error' instead of the previous acceptable and understandable error message.
it forced a lot of small businesses who used the certificates they themselves signed to buy 3rd party certificates from vendors.
again with this change, all small businesses will have to spend more on web development charges, because most end users will set their firefox to the prevent setting for this new feature.
the 'free to do business is usual' bit is bullshit.
remember, say the word 'security', and you can even sell wars to people.
so dont feed the 'free to do business as usual' bullshit to anyone.one thing that is most damaging to us open source crowd is being too self righteous and jacobin.
it starts to hurt us again as time passes and projects develops.
this time its happening with firefox.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521095</id>
	<title>Re:Use a file?</title>
	<author>EvanED</author>
	<datestamp>1246275600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Oh, please don't do that. Don't assume that we have rights to that directory. I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.</p></htmltext>
<tokenext>Oh , please do n't do that .
Do n't assume that we have rights to that directory .
I already really really wish I could set robots.txt for just my subdirectory , but no can do since some semi-moron thought it would be a good idea to make me mail my school department 's webmaster to exclude part of my directory .</tokentext>
<sentencetext>Oh, please don't do that.
Don't assume that we have rights to that directory.
I already really really wish I could set robots.txt for just my subdirectory, but no can do since some semi-moron thought it would be a good idea to make me mail my school department's webmaster to exclude part of my directory.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520905</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523797</id>
	<title>But I want and need X-site scripting!</title>
	<author>kanweg</author>
	<datestamp>1246292640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I'm a bit out of my league knowledge-wise here, but in my company I have a company web application that would benefit very much from being able to do something in the window of another site. Why can't a browser (not the web app) be set to very specifically allow a particular web application to make use of another specified website. E.g. that would allow me to fill out a form with data from the web app or vice versa to get data into my MySQL database without having to fill out the data manually, which is error-prone. Because it is a browser setting where both domains are set to specifically interact with each other, I don't see how it could be used to do anything malicious, but it would help web apps enormously.</p><p>Bert</p></htmltext>
<tokenext>I 'm a bit out of my league knowledge-wise here , but in my company I have a company web application that would benefit very much from being able to do something in the window of another site .
Why ca n't a browser ( not the web app ) be set to very specifically allow a particular web application to make use of another specified website .
E.g. that would allow me to fill out a form with data from the web app or vice versa to get data into my MySQL database without having to fill out the data manually , which is error-prone .
Because it is a browser setting where both domains are set to specifically interact with each other , I do n't see how it could be used to do anything malicious , but it would help web apps enormously.Bert</tokentext>
<sentencetext>I'm a bit out of my league knowledge-wise here, but in my company I have a company web application that would benefit very much from being able to do something in the window of another site.
Why can't a browser (not the web app) be set to very specifically allow a particular web application to make use of another specified website.
E.g. that would allow me to fill out a form with data from the web app or vice versa to get data into my MySQL database without having to fill out the data manually, which is error-prone.
Because it is a browser setting where both domains are set to specifically interact with each other, I don't see how it could be used to do anything malicious, but it would help web apps enormously.Bert</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28536969</id>
	<title>Re:Cost vs. Benefit?</title>
	<author>Simetrical</author>
	<datestamp>1246368480000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>The author gave the best reason for not implementing this.

</p><p>The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.</p></div><p>Well, I don't know.  I'm a MediaWiki developer, and I can pretty much guarantee you that Wikipedia will use this, and that MediaWiki will support it.  If you mean some random corporate website copy-pasted through sixteen iterations of hacked-up code dating back to 1994 won't use it, then sure, maybe not.  But you can bet that some of the top websites will.

</p><p>One of the coolest features is that you can specify a URL for the browser to report violations to.  That way you can catch bugs in your policies without relying on user reports, <em>and</em> you immediately learn of any attacks on your Firefox users so you can fix them quickly for your non-Firefox users.</p></div>
	</htmltext>
<tokenext>The author gave the best reason for not implementing this .
The benefits of this , and other various security implementations , wo n't be seen until it 's tested .
The costs of testing ?
Way too high compared to the current cost of operation .
This is a very hard proof-of-concept problem , and unless this is already built into development standards , I doubt any deployments would switch.Well , I do n't know .
I 'm a MediaWiki developer , and I can pretty much guarantee you that Wikipedia will use this , and that MediaWiki will support it .
If you mean some random corporate website copy-pasted through sixteen iterations of hacked-up code dating back to 1994 wo n't use it , then sure , maybe not .
But you can bet that some of the top websites will .
One of the coolest features is that you can specify a URL for the browser to report violations to .
That way you can catch bugs in your policies without relying on user reports , and you immediately learn of any attacks on your Firefox users so you can fix them quickly for your non-Firefox users .</tokentext>
<sentencetext>The author gave the best reason for not implementing this.
The benefits of this, and other various security implementations, won't be seen until it's tested.
The costs of testing?
Way too high compared to the current cost of operation.
This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.Well, I don't know.
I'm a MediaWiki developer, and I can pretty much guarantee you that Wikipedia will use this, and that MediaWiki will support it.
If you mean some random corporate website copy-pasted through sixteen iterations of hacked-up code dating back to 1994 won't use it, then sure, maybe not.
But you can bet that some of the top websites will.
One of the coolest features is that you can specify a URL for the browser to report violations to.
That way you can catch bugs in your policies without relying on user reports, and you immediately learn of any attacks on your Firefox users so you can fix them quickly for your non-Firefox users.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520883</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524329</id>
	<title>Re:How does this change userland?</title>
	<author>dveditz</author>
	<datestamp>1246297500000</datestamp>
	<modclass>None</modclass>
	<modscore>2</modscore>
	<htmltext><blockquote><div><p> <i>The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.</i></p></div> </blockquote><p>This mechanism isn't intended for users -- this is a tool for site authors, to cooperate with them in enforcing their policies. The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that don't support CSP (which includes every officially released version of Firefox to date). This is an extra layer of protection for users of CSP-compliant browsers, and a benefit to the site through the reporting function.</p><p>Please do continue running NoScript if you like. CSP is a mechanism for site authors to declare their policy, add-ons like NoScript and AdBlock are tools for users to declare <i>their</i> policies.</p></div>
	</htmltext>
<tokenext>The reason something like this scares me is that it lulls users into a higher level of trust... and does n't protect them from hacked sites , or sites that choose not to implement this .
This mechanism is n't intended for users -- this is a tool for site authors , to cooperate with them in enforcing their policies .
The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that do n't support CSP ( which includes every officially released version of Firefox to date ) .
This is an extra layer of protection for users of CSP-compliant browsers , and a benefit to the site through the reporting function.Please do continue running NoScript if you like .
CSP is a mechanism for site authors to declare their policy , add-ons like NoScript and AdBlock are tools for users to declare their policies .</tokentext>
<sentencetext> The reason something like this scares me is that it lulls users into a higher level of trust... and doesn't protect them from hacked sites, or sites that choose not to implement this.
This mechanism isn't intended for users -- this is a tool for site authors, to cooperate with them in enforcing their policies.
The site still has to make a best effort at implementing those policies themselves to protect all their visitors using browsers that don't support CSP (which includes every officially released version of Firefox to date).
This is an extra layer of protection for users of CSP-compliant browsers, and a benefit to the site through the reporting function.Please do continue running NoScript if you like.
CSP is a mechanism for site authors to declare their policy, add-ons like NoScript and AdBlock are tools for users to declare their policies.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521071</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>seifried</author>
	<datestamp>1246275420000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Don't let other people serve content via your site.</p><p>Problem is that security flaws such as cross-site scripting (XSS) allow exactly this (insert arbitrary HTML/JavaScript into the page which is then rendered by the client browser. </p></htmltext>
<tokenext>Do n't let other people serve content via your site.Problem is that security flaws such as cross-site scripting ( XSS ) allow exactly this ( insert arbitrary HTML/JavaScript into the page which is then rendered by the client browser .</tokentext>
<sentencetext>Don't let other people serve content via your site.Problem is that security flaws such as cross-site scripting (XSS) allow exactly this (insert arbitrary HTML/JavaScript into the page which is then rendered by the client browser. </sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520831</id>
	<title>SPF for JavaScript</title>
	<author>The Yuckinator</author>
	<datestamp>1246274280000</datestamp>
	<modclass>Redundant</modclass>
	<modscore>1</modscore>
	<htmltext>On the surface this sounds like a great idea. Sort of like SPF for JavaScript.   Of course I'm sure that more knowledgeable folks than I will do their best to poke holes in it.   I guess the other browsers will just ignore this unless of course they jump on board and implement it too.</htmltext>
<tokenext>On the surface this sounds like a great idea .
Sort of like SPF for JavaScript .
Of course I 'm sure that more knowledgeable folks than I will do their best to poke holes in it .
I guess the other browsers will just ignore this unless of course they jump on board and implement it too .</tokentext>
<sentencetext>On the surface this sounds like a great idea.
Sort of like SPF for JavaScript.
Of course I'm sure that more knowledgeable folks than I will do their best to poke holes in it.
I guess the other browsers will just ignore this unless of course they jump on board and implement it too.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521361</id>
	<title>Re:How does this change userland?</title>
	<author>Anonymous</author>
	<datestamp>1246277040000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>That reminds me -- since recently I have to tell NoScript to allow scripts from fsdn.com in order to browse slashdot.org successfully.  I *know* that FSDN is slashdot's parent company, but it doesn't seem right that I can't use slashdot's discussion interface without giving permission to all of FSDN.</p><p>Similarly, recently I have to allow gstatic.com and/or googleapis.com to use Google-enabled websites that worked fine before.</p><p>Like the parent post's point: it's getting harder for a user to selectively narrow permissions down.</p></htmltext>
<tokenext>That reminds me -- since recently I have to tell NoScript to allow scripts from fsdn.com in order to browse slashdot.org successfully .
I * know * that FSDN is slashdot 's parent company , but it does n't seem right that I ca n't use slashdot 's discussion interface without giving permission to all of FSDN.Similarly , recently I have to allow gstatic.com and/or googleapis.com to use Google-enabled websites that worked fine before.Like the parent post 's point : it 's getting harder for a user to selectively narrow permissions down .</tokentext>
<sentencetext>That reminds me -- since recently I have to tell NoScript to allow scripts from fsdn.com in order to browse slashdot.org successfully.
I *know* that FSDN is slashdot's parent company, but it doesn't seem right that I can't use slashdot's discussion interface without giving permission to all of FSDN.Similarly, recently I have to allow gstatic.com and/or googleapis.com to use Google-enabled websites that worked fine before.Like the parent post's point: it's getting harder for a user to selectively narrow permissions down.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521019</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520883</id>
	<title>Cost vs. Benefit?</title>
	<author>spydabyte</author>
	<datestamp>1246274520000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.'</p></div><p>The author gave the best reason for not implementing this.<br> <br>The benefits of this, and other various security implementations, won't be seen until it's tested. The costs of testing? Way too high compared to the current cost of operation. This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.<br>Which would you take, the option which delays production for a week, or the option to just hit "next"?</p></div>
	</htmltext>
<tokenext>If the cost versus benefit does n't make sense for some site , they 're free to keep doing business as usual .
'The author gave the best reason for not implementing this .
The benefits of this , and other various security implementations , wo n't be seen until it 's tested .
The costs of testing ?
Way too high compared to the current cost of operation .
This is a very hard proof-of-concept problem , and unless this is already built into development standards , I doubt any deployments would switch.Which would you take , the option which delays production for a week , or the option to just hit " next " ?</tokentext>
<sentencetext>If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual.
'The author gave the best reason for not implementing this.
The benefits of this, and other various security implementations, won't be seen until it's tested.
The costs of testing?
Way too high compared to the current cost of operation.
This is a very hard proof-of-concept problem, and unless this is already built into development standards, I doubt any deployments would switch.Which would you take, the option which delays production for a week, or the option to just hit "next"?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521129</id>
	<title>Re:Old Standard to Prevent All Attacks</title>
	<author>buchner.johannes</author>
	<datestamp>1246275780000</datestamp>
	<modclass>Flamebait</modclass>
	<modscore>0</modscore>
	<htmltext><p>Don't host a website or put data on the web?</p><p>Don't use computers?</p></htmltext>
<tokenext>Do n't host a website or put data on the web ? Do n't use computers ?</tokentext>
<sentencetext>Don't host a website or put data on the web?Don't use computers?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520897</id>
	<title>Article on this and related technologies</title>
	<author>seifried</author>
	<datestamp>1246274580000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>Shameless self plug: I wrote about this in my column: <a href="http://www.linux-magazine.com/w3/issue/94/Web\_Security.pdf" title="linux-magazine.com">Web security - Protecting your site and your clients</a> [linux-magazine.com] in September of 2008 and I'm VERY glad to see this is moving forwards as it means I (as a site owner) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive (that's the key!). The thing I really love about this is if your clients don't support site security policy, things still work, and if your browser supports it but the remote web site doesn't, things still work, but if both ends support it you get a nice added layer of protection. What would be really wild is if Microsoft added support for it, although "not invented here" they have been making efforts to protect users from XSS attacks in IE8 with mixed success, so who knows. You can do similar things with mod\_security potentially and outgoing filters but it is nowhere near as simple as site security policy should be to deploy (hopefully).</htmltext>
<tokenext>Shameless self plug : I wrote about this in my column : Web security - Protecting your site and your clients [ linux-magazine.com ] in September of 2008 and I 'm VERY glad to see this is moving forwards as it means I ( as a site owner ) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive ( that 's the key ! ) .
The thing I really love about this is if your clients do n't support site security policy , things still work , and if your browser supports it but the remote web site does n't , things still work , but if both ends support it you get a nice added layer of protection .
What would be really wild is if Microsoft added support for it , although " not invented here " they have been making efforts to protect users from XSS attacks in IE8 with mixed success , so who knows .
You can do similar things with mod \ _security potentially and outgoing filters but it is nowhere near as simple as site security policy should be to deploy ( hopefully ) .</tokentext>
<sentencetext>Shameless self plug: I wrote about this in my column: Web security - Protecting your site and your clients [linux-magazine.com] in September of 2008 and I'm VERY glad to see this is moving forwards as it means I (as a site owner) can actually do something to protect my site and my users against flaws in my site that is relatively easy and non-intrusive (that's the key!).
The thing I really love about this is if your clients don't support site security policy, things still work, and if your browser supports it but the remote web site doesn't, things still work, but if both ends support it you get a nice added layer of protection.
What would be really wild is if Microsoft added support for it, although "not invented here" they have been making efforts to protect users from XSS attacks in IE8 with mixed success, so who knows.
You can do similar things with mod\_security potentially and outgoing filters but it is nowhere near as simple as site security policy should be to deploy (hopefully).</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521015</id>
	<title>The XSS FAQ</title>
	<author>mrkitty</author>
	<datestamp>1246275180000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><br>
The Cross-site Scripting (XSS) FAQ
<a href="http://www.cgisecurity.com/xss-faq.html" title="cgisecurity.com">http://www.cgisecurity.com/xss-faq.html</a> [cgisecurity.com]</htmltext>
<tokenext>The Cross-site Scripting ( XSS ) FAQ http : //www.cgisecurity.com/xss-faq.html [ cgisecurity.com ]</tokentext>
<sentencetext>
The Cross-site Scripting (XSS) FAQ
http://www.cgisecurity.com/xss-faq.html [cgisecurity.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520811</id>
	<title>Managers</title>
	<author>uassholes</author>
	<datestamp>1246274160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>"The Mozilla foundation is to adopt a new standard to help web site's prevent cross site scripting attacks (XSS). The standard, called Content Security Policy</p></div><p>Do you notice that name does not sound like the description? Why do they never call it what it is?</p></div>
	</htmltext>
<tokenext>" The Mozilla foundation is to adopt a new standard to help web site 's prevent cross site scripting attacks ( XSS ) .
The standard , called Content Security PolicyDo you notice that name does not sound like the description ?
Why do they never call it what it is ?</tokentext>
<sentencetext>"The Mozilla foundation is to adopt a new standard to help web site's prevent cross site scripting attacks (XSS).
The standard, called Content Security PolicyDo you notice that name does not sound like the description?
Why do they never call it what it is?
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029</id>
	<title>This is great for Firefox users...</title>
	<author>randomnote1</author>
	<datestamp>1246275240000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext>What about IE, Chrome, Opera, and Safari users?  As of now this solution only benefits a small portion of users.  I don't see this being widely implemented at all.</htmltext>
<tokenext>What about IE , Chrome , Opera , and Safari users ?
As of now this solution only benefits a small portion of users .
I do n't see this being widely implemented at all .</tokentext>
<sentencetext>What about IE, Chrome, Opera, and Safari users?
As of now this solution only benefits a small portion of users.
I don't see this being widely implemented at all.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520873</id>
	<title>FF Vs IE again?</title>
	<author>ItsPaPPy</author>
	<datestamp>1246274460000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Seems like they are trying to compete with IE
<a href="http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx" title="msdn.com" rel="nofollow">http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx</a> [msdn.com]

But on <a href="http://sla.ckers.org/" title="ckers.org" rel="nofollow">http://sla.ckers.org/</a> [ckers.org]
circumvention has already been found.

XSS will always be around, because of dumb coders trying to re-invent the wheel, yet again.</htmltext>
<tokenext>Seems like they are trying to compete with IE http : //blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx [ msdn.com ] But on http : //sla.ckers.org/ [ ckers.org ] circumvention has already been found .
XSS will always be around , because of dumb coders trying to re-invent the wheel , yet again .</tokentext>
<sentencetext>Seems like they are trying to compete with IE
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx [msdn.com]

But on http://sla.ckers.org/ [ckers.org]
circumvention has already been found.
XSS will always be around, because of dumb coders trying to re-invent the wheel, yet again.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521725
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520793
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521523
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523703
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524329
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522393
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_28</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521129
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525231
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521259
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_30</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521611
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526545
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520821
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521045
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520811
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521461
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28527759
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522949
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523309
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_31</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521071
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521287
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521727
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521095
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520905
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_29</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521679
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28531171
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521361
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521019
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28536969
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520883
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524839
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521171
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523885
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526951
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521735
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522375
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521027
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521409
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28529323
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520979
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523681
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_27</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521335
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28537007
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521051
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_29_2048207_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521307
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521179
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522393
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524839
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521029
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521611
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523681
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521461
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520811
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521045
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520897
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520793
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521725
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520883
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28536969
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523735
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521259
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525231
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521155
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521735
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521335
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523885
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520999
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520935
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523309
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521129
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521071
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521171
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521679
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521307
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520821
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526545
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520905
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521095
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521727
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521113
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523797
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525739
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28525117
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520787
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520979
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28529323
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522949
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28527759
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28531171
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520823
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521409
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28524329
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521523
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521287
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28526951
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28523703
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521019
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521361
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521027
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28522375
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28521051
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28537007
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_29_2048207.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_29_2048207.28520831
</commentlist>
</conversation>
