W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: GET becoming unsafe?

From: Jonathan Rees <jar@creativecommons.org>
Date: Fri, 5 Jun 2009 11:17:05 -0400
Message-ID: <760bcb2a0906050817j328b00d4k62c91509b2dd3eb7@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: David Orchard <orchard@pacificspirit.com>, Technical Architecture Group WG <www-tag@w3.org>
Anne,

Let me see if I understand this: Dave can't do POSTs, so his
applications are using GET instead. Because the servers allow these
GETs, they expose their clients to CSRF attacks. With CORS, a protocol
will be defined, and presumably implemented by savvy servers and
clients, that will permit certain explicitly authorized cross-site
POST requests, so the pressure to abuse GET will be relieved, and the
CSRF risk will evaporate. The platforms Dave uses will become
convinced somehow that CORS is low-risk, will start to implement it,
and everyone will be happy. Yes?

Thanks
Jonathan

On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote:
>> There's some irony that doing cross platform web based development
>> using html, javascript, etc. requires breaking one of the crucial
>> foundations of Web Arch.
>
> We're working on fixing it (as you know):
>
>  http://www.w3.org/TR/cors/
>
>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>
Received on Friday, 5 June 2009 15:17:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT