W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS Background slides

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 4 Nov 2009 20:20:00 -0800
Message-ID: <5691356f0911042020k75eb0777vf0b18e77713c9b0d@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: WebApps WG <public-webapps@w3.org>
Hi Maciej,

Thanks for the many responses. I'll try to get to them all shortly,
but I'd like to start by clarifying one point...

On Wed, Nov 4, 2009 at 5:57 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> On Nov 4, 2009, at 4:51 PM, Tyler Close wrote:
> 2) I strongly disagree with the final sentence on that page: "As discussed
> at Tuesday's TPAC meeting, Maciej's solution is vulnerable to a CSRF-like
> attack by Server A on Server B if the "add event" URL provided by Server A
> actually refers to a resource on Server B." The scenario I posted does *not*
> involve Server A providing a URL to Server B and does not have a
> vulnerability.

How does Server B get the URL if not from Server A? The URL is
supposed to refer to a resource on Server A, so only Server A can
provide its value. Somehow, Server B must get the URL from Server A.
That communication, however it is done, is vulnerable to a CSRF-like
attack.

--Tyler
Received on Thursday, 5 November 2009 04:20:33 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT