W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 15 Dec 2009 00:09:02 -0800
Message-ID: <7789133a0912150009h1e3a6dbckc430225925897bf4@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> For what it's worth, I'm not sure that "eliminating" is correct here.
> With UM, I can certainly see people doing things like using a wrapping
> library for all UM requests (very commonly done with XHR today), and
> then letting that library add the security token to the request.

There are real examples of this exact vulnerably occurring in CSRF
defenses based on secret tokens.  There's no silver bullet for
security.

Adam
Received on Tuesday, 15 December 2009 08:09:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT