W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CSRF vulnerability in Tyler's GuestXHR protocol?

From: Devdatta <dev.akhawe@gmail.com>
Date: Fri, 13 Nov 2009 18:45:05 -0800
Message-ID: <ecf35a1b0911131845r1879744yee7c3a90e030211b@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
>>
>> Some parts of the protocol are not clear to me. Can you please clarify
>> the following :
>> 1> In msg 1, what script context is the browser running in ? Site A or
>> Site B ? (in other words who initiates the whole protocol ?)
>
> Server A, or a bookmark.

Wasn't Maciej's original scenario that of a user going to Site B (an
event's site) and adding stuff to his calendar at A ? In such a
scenario, the complete protocol should ideally start with B.

Thanks
devdatta
Received on Saturday, 14 November 2009 02:45:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT