- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 05 Nov 2007 10:18:42 -0800
- To: Bjoern Hoehrmann <derhoermi@gmx.net>
- CC: Anne van Kesteren <annevk@opera.com>, public-appformats@w3.org
Bjoern Hoehrmann wrote: > * Anne van Kesteren wrote: >> You already said that. I'm not sure how you think that helps. > > I think Thomas read you as saying it's good practise if authors of web > services that handle POST requests secure their service against cross- > site <form> submissions, but do not secure them against cross-site XHR > requests, whereas you were really saying, authors have to do the former > and might not currently do the latter, independent of good practises. > > His point is that you really have to secure them against both, whatever > that may mean for a particular service, so there is no difference from > the perspective of the author's site. The relevance of your distinction > to the discussion is that one wants to minimize the ways in which web > browsers can be used to attack poorly secured web services, and Thomas > was asking to which degree this actually has security benefits. Why do you have to currently check for cross-site XHR POST requests? I would argue that you don't, and that there very likely are servers out there that don't. Thus, if we simply allowed cross-site XHR POST requests we'd make such servers vulnerable whereas they didn't used to. I agree that there very likely are servers out there that are vulnerable to cross site <form> POST requests. That is bad, but I don't think that is anything we can nor should do anything about here. / Jonas
Received on Monday, 5 November 2007 18:21:37 UTC