W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278: CSRF defense use case?

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 16 Feb 2010 23:50:34 -0800
Message-ID: <5691356f1002162350q412c4fb5jc180b616440360db@mail.gmail.com>
To: Jonathan Rees <jar@creativecommons.org>
Cc: www-tag@w3.org
Are you asking for something different from what is presented at:


It's not just that unguessable URIs are helpful in CSRF defense, but
rather it is not possible to construct a CSRF attack when the private
resource is identified by only an unguessable URI. A CSRF attack
depends upon knowing the URL for the private resource.


On Tue, Feb 16, 2010 at 1:19 PM, Jonathan Rees <jar@creativecommons.org> wrote:
> Tyler,
> I think it would be useful in this discussion to have a CSRF defense
> use case on hand, since that's where this discussion started [1]. Can
> you provide a simple but somewhat realistic scenario where unguessable
> URIs might be helpful in CSRF defense?
> Thanks
> Jonathan
> [1] http://www.w3.org/2001/tag/2009/06/23-minutes.html#item05
> Tracker, this is ACTION-278

"Waterken News: Capability security on the Web"
Received on Wednesday, 17 February 2010 07:51:07 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:05 UTC