W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] Uniform Messaging, a CSRF resistant profile of CORS

From: Mark S. Miller <erights@google.com>
Date: Sat, 21 Nov 2009 08:52:40 -0800
Message-ID: <4d2fac900911210852t2932a882q55b333fd5562f618@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Sat, Nov 21, 2009 at 12:39 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> I've only had time for a quick scan, but this looks like a very good proposal.

Thanks.


> Is there a reason why a full XMLHttpRequest API couldn't be used? I
> guess in its most simple incarnation things like setRequestHeader and
> .withCredentials would be removed.
>
> However technically speaking even setRequestHeader as well as
> arbitrary HTTP methods could be allowed if preflight requests were
> used. They would of course not contain any origin or referrer
> information. At a first glance this wouldn't expose any of the CSRF
> problems you are trying to avoid. (Granted, it's 12:30am and I've had
> a long day :) ).
>
> Or would you rather wait with that until later?

Exactly. We decided to separate Uniform Messaging into a Level One and
Level Two specs according to their need for pre-flight. With
pre-flight, additional HTTP methods, headers, and request entity media
types could all be supported without introducing any of the CSRF-like
problems we're trying to avoid. This first document is a draft only of
the Level One spec.


-- 
    Cheers,
    --MarkM
Received on Saturday, 21 November 2009 16:53:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT