W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > January to March 2007

Re: Proposed resolution for Issue 237 (new attack scenario based on XmlHttpRequest object)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 04 Mar 2007 20:56:02 +0100
Message-ID: <45EB2452.8080805@gmx.de>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
CC: WebDAV WG <w3c-dist-auth@w3.org>

Bjoern Hoehrmann schrieb:
> ...
> You should say Bob has write access to http://www.example.com/users/bob/
> I missed that at first and wondered what the point here might be.

OK, how about:

     1.  Alice prepares an HTML page with embedded Javascript code that
         will submit a DELETE request against the URI
         http://www.example.com/users/bob/ (a resource she has not write
         access to, but Bob has).

>>    o  Using user agents that follow Section 9.1.1 of [RFC2616], in that
>>       they do not allow unsafe methods to be executed without making the
>>       user aware of the consequences - unfortunately, none of today's
>>       browsers is doing that.
> 
> I don't think this is the best way to put it, but I don't have much
> better text at hand right now.

Proposals welcome. I think it's worthwhile to mention that RCF2616 is 
very clear about the user agent never to invoke an unsafe method without 
the user's consent, a principle that very clearly isn't followed by 
today's browsers when they allow unsafe methods without any user 
confirmation.

Best regards, Julian
Received on Sunday, 4 March 2007 19:56:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT