Hi Maciej, Thanks for the many responses. I'll try to get to them all shortly, but I'd like to start by clarifying one point... On Wed, Nov 4, 2009 at 5:57 PM, Maciej Stachowiak <mjs@apple.com> wrote: > On Nov 4, 2009, at 4:51 PM, Tyler Close wrote: > 2) I strongly disagree with the final sentence on that page: "As discussed > at Tuesday's TPAC meeting, Maciej's solution is vulnerable to a CSRF-like > attack by Server A on Server B if the "add event" URL provided by Server A > actually refers to a resource on Server B." The scenario I posted does *not* > involve Server A providing a URL to Server B and does not have a > vulnerability. How does Server B get the URL if not from Server A? The URL is supposed to refer to a resource on Server A, so only Server A can provide its value. Somehow, Server B must get the URL from Server A. That communication, however it is done, is vulnerable to a CSRF-like attack. --TylerReceived on Thursday, 5 November 2009 04:20:33 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT