W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278: CSRF defense use case?

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 16 Feb 2010 23:50:34 -0800
Message-ID: <5691356f1002162350q412c4fb5jc180b616440360db@mail.gmail.com>
To: Jonathan Rees <jar@creativecommons.org>
Cc: www-tag@w3.org
Are you asking for something different from what is presented at:

http://waterken.sourceforge.net/web-key/#cap_xsrf

It's not just that unguessable URIs are helpful in CSRF defense, but
rather it is not possible to construct a CSRF attack when the private
resource is identified by only an unguessable URI. A CSRF attack
depends upon knowing the URL for the private resource.

--Tyler

On Tue, Feb 16, 2010 at 1:19 PM, Jonathan Rees <jar@creativecommons.org> wrote:
> Tyler,
>
> I think it would be useful in this discussion to have a CSRF defense
> use case on hand, since that's where this discussion started [1]. Can
> you provide a simple but somewhat realistic scenario where unguessable
> URIs might be helpful in CSRF defense?
>
> Thanks
> Jonathan
>
> [1] http://www.w3.org/2001/tag/2009/06/23-minutes.html#item05
>
> Tracker, this is ACTION-278
>



-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 17 February 2010 07:51:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT