W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: Cross Site Request Forgery and GET (ACTION-274)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 05 Jun 2009 16:02:49 +0200
To: "Thomas Roessler" <tlr@w3.org>, noah_mendelsohn@us.ibm.com
Cc: www-tag@w3.org
Message-ID: <op.uu11aza964w2qv@annevk-t60>
On Fri, 05 Jun 2009 15:56:52 +0200, Thomas Roessler <tlr@w3.org> wrote:
> On 5 Jun 2009, at 00:36, noah_mendelsohn@us.ibm.com wrote:
>> Granting that naive users won't know to do this, and even sophisticated
>> users can easily forget: to what extent can individuals protect  
>> themselves
>> by logging off from one site before visiting another.
>
> In theory, that would help (though there are some tricks to cause logins  
> when form fillers are active).
>
> The real point here is, though, that today's web browsers will run  
> several web applications at the same time; these applications might come  
> from different origins, depend on each other, and talk to each other.
>
> In that circumstance, a "log out to prevent XSRF" practice just doesn't  
> make sense.

Might actually be harmful to user security as it would encourage sites to ask for the user's authentication data rather than using e.g. OAuth to obtain the relevant data.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Friday, 5 June 2009 14:03:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT