- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 26 Jan 2009 18:37:34 -0800
- To: Adrien de Croy <adrien@qbik.com>
- Cc: Mark Nottingham <mnot@mnot.net>, "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <LMM@acm.org>, ietf-http-wg@w3.org, Lisa Dusseault <ldusseault@commerce.net>
On Mon, Jan 26, 2009 at 5:34 PM, Adrien de Croy <adrien@qbik.com> wrote: > Adam Barth wrote: >> It is impossible to secure all the users who visit your Web site. You >> cannot secure users with IE5 or Firefox 1.0, for example. Moreover, >> the header provides incremental value while it is being deployed. > > Do you have any more information on this you could refer me to? I find it > hard to believe that there can be no security scheme which would be > browser-independent. These browsers are no longer maintained by their vendors. Whenever you see a vulnerability patched for IE7 or Firefox 3, there is a good chance that vulnerability also exists in IE5 or Firefox 1.0. In the context of this discussion, that means the "secret" tokens you rely upon for CSRF protection are not secret, and the attacker is free to mount a CSRF attack against your site. Adam
Received on Tuesday, 27 January 2009 02:38:09 UTC