W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-243 Propose link from note to threat trees (ISSUE-77)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 30 Jul 2007 13:39:43 -0400
To: tlr@w3.org
Cc: public-wsc-wg@w3.org
Message-ID: <OF5DF05443.CAE442DD-ON85257328.00607F12-85257328.0061061A@LocalDomain>
responding to: 
http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0242.html


Sorry I didn't catch this earlier. I'm fine with all of it, except the 
paranthetical part of this one: 

>                3. Cross-site request forgery - causing a user to
>                unwittingly send, to a legitimate site, a request 
containing
>                data that he/she would not otherwise intend to send (e.g. 
to
>                perform an action that he/she did not intend to take).
> 

The issue I have with the parenthesis is that I don't see what's in our 
scope that could possibly deal with the "pure action" form of CSRF (as 
opposed to one that also requires the user to input data). By "pure 
action" I mean a URL based web application command that the user can 
legitimately issue (particularly when they are in an authenticated session 
with the web application). The defenses I know of to address that all take 
the form of tying the URL command to the user's session (with a nonce, for 
example) so that the URL command cannot be easily, blindly generated by 
the "attacker" as something the user will mistakenly click on. If someone 
can show an example of the sort of thing that we might do in the "pure 
action" CSRF area, then I'm OK leaving the parenthetical part in. 
Otherwise, I'd like to remove it. Either way, the rest of the text is 
good, and should be incorporated. 
Received on Monday, 30 July 2007 17:40:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT