On Fri, 05 Jun 2009 17:17:05 +0200, Jonathan Rees <jar@creativecommons.org> wrote: > Let me see if I understand this: Dave can't do POSTs, so his > applications are using GET instead. Because the servers allow these > GETs, they expose their clients to CSRF attacks. With CORS, a protocol > will be defined, and presumably implemented by savvy servers and > clients, that will permit certain explicitly authorized cross-site > POST requests, so the pressure to abuse GET will be relieved, and the > CSRF risk will evaporate. The platforms Dave uses will become > convinced somehow that CORS is low-risk, will start to implement it, > and everyone will be happy. Yes? Yes. (It actually has other benefits too such as being able to read the response without letting the third party execute JavaScript on your page which should help adoption.) -- Anne van Kesteren http://annevankesteren.nl/Received on Friday, 5 June 2009 22:20:27 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:56:28 GMT