W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

CSRF and clickjacking not mentioned in "HTTP/1.1, part 7: Authentication"

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 25 Nov 2009 07:01:14 -0800
Message-ID: <5691356f0911250701p7f89a93cpe40f889310d9b9b4@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
The "Security Considerations" section of "HTTP/1.1, part 7:
Authentication" should mention that the mechanism is vulnerable to
Confused Deputy attacks such as Cross-Site-Request-Forgery (CSRF) and
clickjacking. Is someone working on text for this, or should I propose



"Waterken News: Capability security on the Web"
Received on Wednesday, 25 November 2009 15:01:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC