W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: GET becoming unsafe?

From: David Orchard <orchard@pacificspirit.com>
Date: Fri, 5 Jun 2009 11:17:59 -0700
Message-ID: <2d509b1b0906051117u7fbd0d1k30964cfd3ecf4fc@mail.gmail.com>
To: Jonathan Rees <jar@creativecommons.org>
Cc: Anne van Kesteren <annevk@opera.com>, Technical Architecture Group WG <www-tag@w3.org>
The subtlety that I'm bringing up is that the browser hasn't been
built with the idea that itself could be embedded within a trusted
application.  I *could* do callouts to native code to do the POSTs on
the device, but I'd rather stay with the wonderfully documented XHR
(thanks Anne!).  This is not they typical cross-site scripting,
because the 2 sites are the local device and the server.

Dave

On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org> wrote:
> Anne,
>
> Let me see if I understand this: Dave can't do POSTs, so his
> applications are using GET instead. Because the servers allow these
> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
> will be defined, and presumably implemented by savvy servers and
> clients, that will permit certain explicitly authorized cross-site
> POST requests, so the pressure to abuse GET will be relieved, and the
> CSRF risk will evaporate. The platforms Dave uses will become
> convinced somehow that CORS is low-risk, will start to implement it,
> and everyone will be happy. Yes?
>
> Thanks
> Jonathan
>
> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote:
>>> There's some irony that doing cross platform web based development
>>> using html, javascript, etc. requires breaking one of the crucial
>>> foundations of Web Arch.
>>
>> We're working on fixing it (as you know):
>>
>>  http://www.w3.org/TR/cors/
>>
>>
>> --
>> Anne van Kesteren
>> http://annevankesteren.nl/
>>
>>
>
Received on Friday, 5 June 2009 18:18:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT