- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 23 Oct 2007 20:01:21 +0000 (UTC)
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 23 Oct 2007, Anne van Kesteren wrote: > > One of our security guys is not happy with cross-site authenticated GET > requests without some sort of verification from the server beforehand > that it is actually ok to do that. Even though this is already possible > to do so currently using <img> and <iframe> he thinks that practice > shouldn't be further supported by making it mandatory for user agents to > support that. The thought being that it might be possible to improve the > situation for <img>/<iframe>/etc. at some point in the future. Any > thoughts? It will always be possible to do cross-site requests for <img>, <iframe>, <script>, <form>, ... there are billions of pages depending on it. What is the attack vector that is being mitigated by not allowing it? GETs are by definition supposed to be side-effect-free. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 23 October 2007 20:01:31 UTC