W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Accountability in AC4CSR

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 06 Feb 2008 15:58:13 -0800
Message-ID: <47AA4995.1030101@sicking.cc>
To: "Close, Tyler J." <tyler.close@hp.com>
CC: Web Application Formats Working Group WG <public-appformats@w3.org>

Close, Tyler J. wrote:

 > Since the cross-domain request is labeled by the browser with the
 > Referer-Root of Site A, it is tempting to say Site A should be held
 > accountable. Unfortunately, this is not secure since Site B cannot
 > know for sure that this labeling was done by an honest browser. Using
 > another tool, the user could send a request to Site B labeled with a
 > Referer-Root for Site A, in effect attempting to blame Site A for the
 > request to Site B. So Site B is left in the position of not being able
 > to hold either the user or Site A accountable for the request.

What accountability mechanism is used today if the browser isn't honest? 
It seems to me like you are hosed then no matter what in the scenario.

/ Jonas
Received on Thursday, 7 February 2008 00:00:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 February 2008 00:00:27 GMT