W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Accountability in AC4CSR

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Feb 2008 07:23:57 +0000 (UTC)
To: John Panzer <jpanzer@acm.org>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0802130722160.20115@hixie.dreamhostps.com> 

On Tue, 12 Feb 2008, John Panzer wrote:
> > 
> > (Though they might need to use different headers, of course -- we 
> > obviously can't allow scripts doing cross-origin requests to 
> > arbitrarily change HTTP authenticiation headers.)
>
> Sorry, it's not obvious to me.  We're talking about a situation where 
> the server has explicitly opted in to CSRs.  I can understand not 
> sending authorization data from the browser itself by default, maybe, 
> but to block scripts from setting a header seems unnecessary and will 
> just lead to X-Authorization:.

There's no way we can allow a distributed authorisation credentials attack 
on systems using username/password authentication or cookie authentication 
mechanisms. The browser vendors just wouldn't let implement anything that 
allowed that.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 February 2008 07:24:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 February 2008 07:24:40 GMT