- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 25 Nov 2009 16:18:19 +0100
- To: Tyler Close <tyler.close@gmail.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
Tyler Close wrote: > The "Security Considerations" section of "HTTP/1.1, part 7: > Authentication" should mention that the mechanism is vulnerable to > Confused Deputy attacks such as Cross-Site-Request-Forgery (CSRF) and > clickjacking. Is someone working on text for this, or should I propose > some? > > See: > http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-08#section-5 > ... Hi Tyler, as far as I can tell, nobody is currently working on this. I can't speak for the whole group, but I would be *very* happy if you would look not only at Part 7, producing proposals on what should be said. Note that we should be careful in adding too much text though; in the past we were working on a separate spec, <http://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-security-properties/>, which might be a better container for some of this. Best regards, Julian
Received on Wednesday, 25 November 2009 15:18:58 UTC