W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 05 Nov 2007 17:05:49 +0100
To: "Anne van Kesteren" <annevk@opera.com>
Cc: <public-appformats@w3.org>
Message-ID: <nveui3d7pcfpuon0spac57e2lnko6tm6ed@hive.bjoern.hoehrmann.de>

* Anne van Kesteren wrote:
>You already said that. I'm not sure how you think that helps.

I think Thomas read you as saying it's good practise if authors of web
services that handle POST requests secure their service against cross-
site <form> submissions, but do not secure them against cross-site XHR
requests, whereas you were really saying, authors have to do the former
and might not currently do the latter, independent of good practises.

His point is that you really have to secure them against both, whatever
that may mean for a particular service, so there is no difference from
the perspective of the author's site. The relevance of your distinction
to the discussion is that one wants to minimize the ways in which web
browsers can be used to attack poorly secured web services, and Thomas
was asking to which degree this actually has security benefits.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 5 November 2007 16:05:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC