W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Tyler Close <tyler.close@gmail.com>
Date: Sat, 13 Jun 2009 05:39:58 -0700
Message-ID: <5691356f0906130539h2f6c9a1fgd3e6b5f2dd6597a3@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote:
>> Isn't your answer above only about client (user agent) behavior? I'd still
>> like understand what the recommended/expected difference in server behavior
>> should/might be depending of whether Origin is absent or null. Thanks.
>
> Suppose GuestXHR doesn't send an Origin header for any requests and a
> server uses the algorithm in draft-abarth-origin to mitigate CSRF
> attacks.  Now, an attacker can mount a CSRF attack against the server.

Could you provide a bit more detail here? I don't understand how an
attacker could mount a CSRF attack using GuestXHR, if there are no
user credentials in a GuestXHR request.

It seems to me that Origin is only about telling a server how to treat
user credentials attached to a request.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Saturday, 13 June 2009 12:40:33 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT