W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: GET becoming unsafe?

From: David Orchard <orchard@pacificspirit.com>
Date: Fri, 12 Jun 2009 10:29:25 -0700
Message-ID: <2d509b1b0906121029y5fe87b6fj935ace8e88289ff5@mail.gmail.com>
To: John Kemp <john.kemp@nokia.com>
Cc: Jonathan Rees <jar@creativecommons.org>, Anne van Kesteren <annevk@opera.com>, Technical Architecture Group WG <www-tag@w3.org>
The application is trusted by the user as they have paid for and
installed it on their device.  It is trusted by the device to the
extent that any application is trusted by the device.  Applications
that aren't built on a browser have access to whatever the device's
sandbox gives them.  There is a sandbox for all applications, for
example other applications files and configurations are not available.

Cheers,
Dave

On Fri, Jun 12, 2009 at 6:38 AM, John Kemp<john.kemp@nokia.com> wrote:
> Hi Dave,
>
> ext David Orchard wrote:
>>
>> The subtlety that I'm bringing up is that the browser hasn't been
>> built with the idea that itself could be embedded within a trusted
>> application.
>
> What is a "trusted application" for the purposes of this discussion? Trusted
> by whom?
>
>>  I *could* do callouts to native code to do the POSTs on
>> the device, but I'd rather stay with the wonderfully documented XHR
>> (thanks Anne!).  This is not they typical cross-site scripting,
>> because the 2 sites are the local device and the server.
>
> My grandmother used to say "never trust a client, no matter what
> jiggery-pokery the client is capable of".
>
> - johnk
>
>>
>> Dave
>>
>> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org>
>> wrote:
>>>
>>> Anne,
>>>
>>> Let me see if I understand this: Dave can't do POSTs, so his
>>> applications are using GET instead. Because the servers allow these
>>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
>>> will be defined, and presumably implemented by savvy servers and
>>> clients, that will permit certain explicitly authorized cross-site
>>> POST requests, so the pressure to abuse GET will be relieved, and the
>>> CSRF risk will evaporate. The platforms Dave uses will become
>>> convinced somehow that CORS is low-risk, will start to implement it,
>>> and everyone will be happy. Yes?
>>>
>>> Thanks
>>> Jonathan
>>>
>>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com>
>>> wrote:
>>>>
>>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard
>>>> <orchard@pacificspirit.com> wrote:
>>>>>
>>>>> There's some irony that doing cross platform web based development
>>>>> using html, javascript, etc. requires breaking one of the crucial
>>>>> foundations of Web Arch.
>>>>
>>>> We're working on fixing it (as you know):
>>>>
>>>>  http://www.w3.org/TR/cors/
>>>>
>>>>
>>>> --
>>>> Anne van Kesteren
>>>> http://annevankesteren.nl/
>>>>
>>>>
>>
>
>
Received on Friday, 12 June 2009 17:30:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT