W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 18 Jun 2009 07:32:56 +0000 (UTC)
To: "Mark S. Miller" <erights@google.com>
Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0906180726210.16244@hixie.dreamhostps.com>
On Wed, 17 Jun 2009, Mark S. Miller wrote:
> > 
> > I don't really understand what we're trying to prevent here.
> 
> Confused deputies such as XSRF problems. Original paper is at < 
> http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It's well worth 
> rereading. Much deeper than it at first appears.

Could you describe a concrete attack that you are concerned about? I don't 
really see how the article you cite applies here.


> Perhaps my own <srl.cs.jhu.edu/pubs/SRL2003-02.pdf> may help.
>
> The threads and links already cited should make the connection with 
> browser security clear.

Maybe I'm just too stupid for this job, but I don't understand the 
connection at a concrete level. I mean, I think understand the kind of 
threats we're talking about, but as far as I can tell, CORS takes care of 
them all.


> I'm not really sure what more to explain. Perhaps you could ask a more 
> specific question?

Could you show some sample code maybe that shows the specific threat you 
are concerned about?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 18 June 2009 07:33:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT