The "Security Considerations" section of "HTTP/1.1, part 7: Authentication" should mention that the mechanism is vulnerable to Confused Deputy attacks such as Cross-Site-Request-Forgery (CSRF) and clickjacking. Is someone working on text for this, or should I propose some? See: http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-08#section-5 --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.htmlReceived on Wednesday, 25 November 2009 15:01:56 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT