W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: CSRF and clickjacking not mentioned in "HTTP/1.1, part 7: Authentication"

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 25 Nov 2009 16:18:19 +0100
Message-ID: <4B0D4ABB.3010108@gmx.de>
To: Tyler Close <tyler.close@gmail.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Tyler Close wrote:
> The "Security Considerations" section of "HTTP/1.1, part 7:
> Authentication" should mention that the mechanism is vulnerable to
> Confused Deputy attacks such as Cross-Site-Request-Forgery (CSRF) and
> clickjacking. Is someone working on text for this, or should I propose
> some?
> 
> See:
> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-08#section-5
> ...

Hi Tyler,

as far as I can tell, nobody is currently working on this.

I can't speak for the whole group, but I would be *very* happy if you 
would look not only at Part 7, producing proposals on what should be 
said. Note that we should be careful in adding too much text though; in 
the past we were working on a separate spec, 
<http://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-security-properties/>, 
which might be a better container for some of this.

Best regards, Julian
Received on Wednesday, 25 November 2009 15:18:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT