W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 3 Dec 2009 10:52:51 -0800
Message-ID: <7789133a0912031052s7d4d3635mead552e51c614390@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Tyler Close <tyler.close@gmail.com>, Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 10:12 AM, Julian Reschke <julian.reschke@gmx.de> wrote:
> Adam Barth wrote:
>> ...
>> PUT is more dangerous than POST only because, historically, browsers
>> have allowed cross-origin POST but not PUT.  That means servers had to
>> tollerate cross-origin POST without exploding, but they did not need
>> to tolerate cross-origin PUT.  Therefore, there exist servers that
>> explode on a cross-origin PUT.
>> ...
>
> Evidence?

Evidence of which part?  The exploding servers?  Google Web Toolkit
uses custom headers to protect itself from CSRF [1], which is similar.
 I've written a web service that used PUT to protect itself from CSRF,
but that might not count.  :)

Adam

[1] http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
Received on Thursday, 3 December 2009 18:53:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT