- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 05 Nov 2007 17:05:49 +0100
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: <public-appformats@w3.org>
* Anne van Kesteren wrote: >You already said that. I'm not sure how you think that helps. I think Thomas read you as saying it's good practise if authors of web services that handle POST requests secure their service against cross- site <form> submissions, but do not secure them against cross-site XHR requests, whereas you were really saying, authors have to do the former and might not currently do the latter, independent of good practises. His point is that you really have to secure them against both, whatever that may mean for a particular service, so there is no difference from the perspective of the author's site. The relevance of your distinction to the discussion is that one wants to minimize the ways in which web browsers can be used to attack poorly secured web services, and Thomas was asking to which degree this actually has security benefits. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Monday, 5 November 2007 16:05:58 UTC