W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Server opt-in

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 14 Jan 2010 11:34:58 -0800
Message-ID: <7789133a1001141134h6513308ta8c472c8dc508380@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Thu, Jan 14, 2010 at 9:20 AM, Tyler Close <tyler.close@gmail.com> wrote:
> The confidentiality of a resource can be compromised by a CSRF
> vulnerability in a legitimate client.

Can you define what you mean by CSRF?  I think we must have different
ideas about what the term means because I don't understand that
sentence.

For reference, here's a definition of CSRF that I wrote in 2008:

"In a cross-site request forgery (CSRF) attack, the attacker disrupts
the integrity of the userís session with a web site by injecting
network requests via the userís browser."
--- http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

Here's how Wikipedia defines CSRF:

"Cross-site request forgery, also known as a one-click attack or
session riding and abbreviated as CSRF ("sea-surf"[1]) or XSRF, is a
type of malicious exploit of a website whereby unauthorized commands
are transmitted from a user that the website trusts."
--- http://en.wikipedia.org/wiki/Cross-site_request_forgery

In particular, both of these definitions talk about integrity
violations on the server.  You seem to be talking about a
confidentiality issues on the client.

Adam
Received on Thursday, 14 January 2010 19:44:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT