W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: Cross Site Request Forgery and GET (ACTION-274)

From: Thomas Roessler <tlr@w3.org>
Date: Fri, 5 Jun 2009 19:12:29 +0200
To: noah_mendelsohn@us.ibm.com
Message-Id: <57621E25-2680-4A07-A499-8A5EF783E5F3@w3.org>
Cc: www-tag@w3.org
On 5 Jun 2009, at 16:06, noah_mendelsohn@us.ibm.com wrote:

>> In that circumstance, a "log out to prevent XSRF" practice just
>> doesn't make sense.
>
> Well, it does if the collection of applications/sites you have active
> includes at most one in which you have login credentials giving  
> permission
> to access or change sensitive information.  For myself, I try to  
> maintain
> that self-imposed restriction, and it would be easier and safer if  
> my user
> agent helped me to do that.  I'm not saying that this is a complete
> solution, but maybe a piece of the puzzle.  For example, if the user  
> agent
> were aware of such logins being active, it could warn when a script  
> from
> another site was taking advantage of them.

I suspect that we're operating from divergent assumptions how Web  
applications will develop and be used:  I fully expect that we'll see  
more and more mash-ups where the browser will need access to private  
data hosted on different origins at the same time for the applications  
to function.  I also expect that we'll see more, not less, different  
Web applications being used in parallel by the user.

If we think of the Web as an application platform, then the behavior  
that you suggest seems to get fairly close to only ever running a  
single application on a PC.
Received on Friday, 5 June 2009 17:12:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT