W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] Uniform Messaging, a CSRF resistant profile of CORS

From: Jonas Sicking <jonas@sicking.cc>
Date: Sat, 21 Nov 2009 00:39:07 -0800
Message-ID: <63df84f0911210039nc038fabgf2543e518750cd1b@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Fri, Nov 20, 2009 at 5:04 PM, Tyler Close <tyler.close@gmail.com> wrote:
> MarkM and I have produced a draft specification for the GuestXHR
> functionality we've been advocating. The W3C style specification
> document is attached. We look forward to any feedback on it.
>
> We agree with others that "GuestXHR" was not a good name and so have
> named the proposal "Uniform Messaging" for reasons elaborated in the
> specification.
>
> To parallel the CORS separation of policy from API, this first
> document is the policy specification with an XMLHttpRequest-like API
> yet to follow.

I've only had time for a quick scan, but this looks like a very good proposal.

Is there a reason why a full XMLHttpRequest API couldn't be used? I
guess in its most simple incarnation things like setRequestHeader and
.withCredentials would be removed.

However technically speaking even setRequestHeader as well as
arbitrary HTTP methods could be allowed if preflight requests were
used. They would of course not contain any origin or referrer
information. At a first glance this wouldn't expose any of the CSRF
problems you are trying to avoid. (Granted, it's 12:30am and I've had
a long day :) ).

Or would you rather wait with that until later?

/ Jonas
Received on Saturday, 21 November 2009 08:40:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT