- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sat, 24 Jan 2009 07:59:03 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: ietf-http-wg@w3.org
* Adam Barth wrote: >> This is a false dichotomy; servers also have the option to request more >> information before making their final determination whenever deemed ne- >> cessary as long as human interaction is possible. For example, having a >> user re-enter his credentials is a common technique. > >To fully defend themselves against CSRF attacks, Web sites must >protect every request that modifies state. It is impractical to ask >users to re-enter their credentials for every side effecting >operation. I am unsure what point you are trying to make. You gave the impression that there are only two options, and neither of them is ever acceptable. That is not the case, there are more options, and some of them lead to acceptable results for some applications. There may be others, but that is no reason to claim a greater problem than there really is. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 24 January 2009 06:59:43 UTC