Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Miller<erights@google.com> wrote:
> On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson <ian@hixie.ch> wrote:
>> But... we want the page talking on behalf of the user. That's the point
>> of a browser.
>
> Not in this way. At least not according to Roy Fielding (Mr. REST)
> <http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html>.

That email also claims that "CSRF is not a security issue for the
Web," so I guess we need not worry about these issues.  :)

Adam

Received on Thursday, 18 June 2009 00:09:56 UTC