W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-243 Propose link from note to threat trees (ISSUE-77)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 30 Jul 2007 14:52:28 -0400
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20070730185228.GZ2974@raktajino.does-not-exist.org>

On 2007-07-30 13:39:43 -0400, Mary Ellen Zurko wrote:

> The issue I have with the parenthesis is that I don't see what's
> in our scope that could possibly deal with the "pure action" form
> of CSRF (as opposed to one that also requires the user to input
> data). By "pure action" I mean a URL based web application
> command that the user can legitimately issue (particularly when
> they are in an authenticated session with the web application).
> The defenses I know of to address that all take the form of tying
> the URL command to the user's session (with a nonce, for 
> example) so that the URL command cannot be easily, blindly
> generated by the "attacker" as something the user will mistakenly
> click on.

Well, this is getting into HTTP POST vs. GET discussions: Use GET
for side-effect free activities, use POST for side-effect bearing
activities.  Don't play with nonces and GET in order to poorly
imitate POST.

I think the threats that are listed in the wiki below this
particular high-level theme indeed sound as if they are in scope,
and I also think the "cause an action" part is a useful explanation,
so I'd propose we keep the current text.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Monday, 30 July 2007 18:52:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT