Re: GET becoming unsafe? from Jonathan Rees on 2009-06-05 (www-tag@w3.org from June 2009)

From: Jonathan Rees <jar@creativecommons.org>
Date: Fri, 5 Jun 2009 15:57:19 -0400
To: David Orchard <orchard@pacificspirit.com>
Cc: Anne van Kesteren <annevk@opera.com>, Technical Architecture Group WG <www-tag@w3.org>
Message-ID: <760bcb2a0906051257q497525fpa395dee8aaa89678@mail.gmail.com>

Thanks Dave - I'm kind of slow here, and not sure I completely
understand your scenario - but no matter, the purpose of my question
to Anne was to surface issues like this, and maybe the tactic is
working. I would like to understand how CORS will work once deployed
and what its limits will be. Do you agree with Anne's statement that
CORS will eventually address your situation somehow?

Jonathan

On Fri, Jun 5, 2009 at 2:17 PM, David Orchard <orchard@pacificspirit.com> wrote:
> The subtlety that I'm bringing up is that the browser hasn't been
> built with the idea that itself could be embedded within a trusted
> application.  I *could* do callouts to native code to do the POSTs on
> the device, but I'd rather stay with the wonderfully documented XHR
> (thanks Anne!).  This is not the typical cross-site scripting,
> because the 2 sites are the local device and the server.
>
> Dave
>
> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org> wrote:
>> Anne,
>>
>> Let me see if I understand this: Dave can't do POSTs, so his
>> applications are using GET instead. Because the servers allow these
>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
>> will be defined, and presumably implemented by savvy servers and
>> clients, that will permit certain explicitly authorized cross-site
>> POST requests, so the pressure to abuse GET will be relieved, and the
>> CSRF risk will evaporate. The platforms Dave uses will become
>> convinced somehow that CORS is low-risk, will start to implement it,
>> and everyone will be happy. Yes?
>>
>> Thanks
>> Jonathan
>>
>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote:
>>>> There's some irony that doing cross platform web based development
>>>> using html, javascript, etc. requires breaking one of the crucial
>>>> foundations of Web Arch.
>>>
>>> We're working on fixing it (as you know):
>>>
>>>  http://www.w3.org/TR/cors/
>>>
>>>
>>> --
>>> Anne van Kesteren
>>> http://annevankesteren.nl/
>>>
>>>
>>
>

Received on Friday, 5 June 2009 19:57:51 UTC