W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: The HTTP Origin Header (draft-abarth-origin)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 24 Jan 2009 07:59:03 +0100
To: Adam Barth <w3c@adambarth.com>
Cc: ietf-http-wg@w3.org
Message-ID: <3peln4hrni9m7udgiaetjpldmtpd3info0@hive.bjoern.hoehrmann.de>

* Adam Barth wrote:
>> This is a false dichotomy; servers also have the option to request more
>> information before making their final determination whenever deemed ne-
>> cessary as long as human interaction is possible. For example, having a
>> user re-enter his credentials is a common technique.
>
>To fully defend themselves against CSRF attacks, Web sites must
>protect every request that modifies state.  It is impractical to ask
>users to re-enter their credentials for every side effecting
>operation.

I am unsure what point you are trying to make. You gave the impression
that there are only two options, and neither of them is ever acceptable.
That is not the case, there are more options, and some of them lead to
acceptable results for some applications. There may be others, but that
is no reason to claim a greater problem than there really is.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 24 January 2009 06:59:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:00 GMT