W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CSRF vulnerability in Tyler's GuestXHR protocol?

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 16 Nov 2009 09:33:57 -0800
Message-ID: <5691356f0911160933q3e2da58dj3f6c01c7e8dc468b@mail.gmail.com>
To: Devdatta <dev.akhawe@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Fri, Nov 13, 2009 at 6:45 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>>>
>>> Some parts of the protocol are not clear to me. Can you please clarify
>>> the following :
>>> 1> In msg 1, what script context is the browser running in ? Site A or
>>> Site B ? (in other words who initiates the whole protocol ?)
>>
>> Server A, or a bookmark.
>
> Wasn't Maciej's original scenario that of a user going to Site B (an
> event's site) and adding stuff to his calendar at A ? In such a
> scenario, the complete protocol should ideally start with B.

There are two parts to Maciej's scenario: the access grant (get
permission to use the calendar) and the use of access (add an event to
the calendar). Maciej starts the first at Server A (the calendar site)
and the second at Server B (the upcoming events site). Our proposed
solution does the same as Maciej's proposal.

See:

http://sites.google.com/site/guestxhr/maciej-challenge

If you want to try working on a different scenario that starts both
steps at Server B, that's fine. With the same techniques applied in
Maciej's scenario, you should be able to construct a solution to the
new scenario.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 16 November 2009 17:34:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT