- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 23 Oct 2007 22:10:09 +0200
- To: "Ian Hickson" <ian@hixie.ch>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 23 Oct 2007 22:01:21 +0200, Ian Hickson <ian@hixie.ch> wrote: > On Tue, 23 Oct 2007, Anne van Kesteren wrote: >> One of our security guys is not happy with cross-site authenticated GET >> requests without some sort of verification from the server beforehand >> that it is actually ok to do that. Even though this is already possible >> to do so currently using <img> and <iframe> he thinks that practice >> shouldn't be further supported by making it mandatory for user agents to >> support that. The thought being that it might be possible to improve the >> situation for <img>/<iframe>/etc. at some point in the future. Any >> thoughts? > > It will always be possible to do cross-site requests for <img>, <iframe>, > <script>, <form>, ... there are billions of pages depending on it. I think the idea is to limit those cross-site requests to requests that don't include authentication information. That's not feasible at the moment, but the argument is that he doesn't want this specification to endorse that by saying that the cross-site requests should include authentication information. Rather, that an authentication request without authentication information is done first. > What is the attack vector that is being mitigated by not allowing it? > GETs are by definition supposed to be side-effect-free. I think "supposed" and "real world" are key words here. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 23 October 2007 20:10:09 UTC