W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 05 Nov 2007 10:18:42 -0800
Message-ID: <472F5E82.2020103@sicking.cc>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: Anne van Kesteren <annevk@opera.com>, public-appformats@w3.org

Bjoern Hoehrmann wrote:
> * Anne van Kesteren wrote:
>> You already said that. I'm not sure how you think that helps.
> 
> I think Thomas read you as saying it's good practise if authors of web
> services that handle POST requests secure their service against cross-
> site <form> submissions, but do not secure them against cross-site XHR
> requests, whereas you were really saying, authors have to do the former
> and might not currently do the latter, independent of good practises.
> 
> His point is that you really have to secure them against both, whatever
> that may mean for a particular service, so there is no difference from
> the perspective of the author's site. The relevance of your distinction
> to the discussion is that one wants to minimize the ways in which web
> browsers can be used to attack poorly secured web services, and Thomas
> was asking to which degree this actually has security benefits.

Why do you have to currently check for cross-site XHR POST requests? I 
would argue that you don't, and that there very likely are servers out 
there that don't. Thus, if we simply allowed cross-site XHR POST 
requests we'd make such servers vulnerable whereas they didn't used to.

I agree that there very likely are servers out there that are vulnerable 
to cross site <form> POST requests. That is bad, but I don't think that 
is anything we can nor should do anything about here.

/ Jonas
Received on Monday, 5 November 2007 18:21:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC