W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

RE: Accountability in AC4CSR

From: Close, Tyler J. <tyler.close@hp.com>
Date: Thu, 7 Feb 2008 21:16:47 +0000
To: Ian Hickson <ian@hixie.ch>
CC: Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D074F8030D6@G6W0269.americas.hpqcorp.net> 


Ian Hickson wrote:
> If you are faced with a hostile client, then Access-Control
> is irrelevant.
> A hostile client can already do cross-site third party requests.

But can the hostile client convincingly blame another site for the request? That's the new part. A hostile client can send a request that looks like it was sent by an honest client and is the fault of the Referer-Root site.

You can't stop thinking at the point that the request is accepted. You have to also consider how the site which accepts the request assigns accountability.

--Tyler
Received on Thursday, 7 February 2008 21:18:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 7 February 2008 21:18:03 GMT