W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: GET becoming unsafe?

From: Anne van Kesteren <annevk@opera.com>
Date: Sat, 06 Jun 2009 00:19:36 +0200
To: "Jonathan Rees" <jar@creativecommons.org>
Cc: "David Orchard" <orchard@pacificspirit.com>, "Technical Architecture Group WG" <www-tag@w3.org>
Message-ID: <op.uu2oayub64w2qv@anne-van-kesterens-macbook.local>
On Fri, 05 Jun 2009 17:17:05 +0200, Jonathan Rees  
<jar@creativecommons.org> wrote:
> Let me see if I understand this: Dave can't do POSTs, so his
> applications are using GET instead. Because the servers allow these
> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
> will be defined, and presumably implemented by savvy servers and
> clients, that will permit certain explicitly authorized cross-site
> POST requests, so the pressure to abuse GET will be relieved, and the
> CSRF risk will evaporate. The platforms Dave uses will become
> convinced somehow that CORS is low-risk, will start to implement it,
> and everyone will be happy. Yes?

Yes. (It actually has other benefits too such as being able to read the  
response without letting the third party execute JavaScript on your page  
which should help adoption.)

Anne van Kesteren
Received on Friday, 5 June 2009 22:20:27 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:02 UTC