W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 7 Jun 2009 15:28:48 -0700
Message-ID: <7789133a0906071528m2dcda5eard57c7153a58fe5c7@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: public-webapps <public-webapps@w3.org>, Arthur Barstow <art.barstow@nokia.com>, Thomas Roessler <tlr@w3.org>, Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>, Google Caja Discuss <google-caja-discuss@googlegroups.com>, Douglas Crockford <douglas@crockford.com>, Tyler Close <tyler@waterken.com>, Collin Jackson <collinj@cs.stanford.edu>, Collin Jackson <collin.jackson@gmail.com>, David Wagner <daw@cs.berkeley.edu>, www-tag@w3.org 
On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <erights@google.com> wrote:
> If the hypothesis I am raising is indeed not a problem, then it doesn't
> matter whether these same origin requests carry "Origin: null" or nothing.
> What matters is that JavaScript code have a standard way to request their
> browser to issue requests carrying no other credentials, even if back to the
> same origin.

Yeah, I can see that as being useful.  I encourage you to propose a
new API that does this.  The Origin-header-as-CSRF-defense already
provides for this possibility.  Is there something specific you'd like
me to change in the I-D to support this new API?

Adam
Received on Sunday, 7 June 2009 22:29:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:11 GMT