- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 7 Feb 2008 16:57:48 +0000
- To: Anne van Kesteren <annevk@opera.com>
- CC: Web Application Formats Working Group WG <public-appformats@w3.org>
Anne van Kesteren wrote: > On Thu, 07 Feb 2008 01:11:31 +0100, Close, Tyler J. > <tyler.close@hp.com> > wrote: > > Anne van Kesteren wrote: > >> What is recommended for this for cross-site GET and POST today? > > > > Today, browsers and sites cooperate to prevent cross-domain > requests. > > Actually, no, that is not true. Today you can issue cross-site GET and > POST requests which is why I asked the question. A browser may issue a cross-site request, but some servers are setup to recognize these requests and reject them; those servers that don't may be vulnerable to Cross Site Request Forgery (XSRF) attacks. The role of the server in rejecting these requests is what I was referring to when I said: "browsers and sites cooperate to prevent cross-domain requests". There is server-side cooperation in the prevention. A key point in this issue is that today, browsers and servers cooperate to *prevent* these requests; whereas this WG wants them to cooperate on *accepting* requests. There are no accountability issues in a rejected request, since the request isn't processed. There may be accountability issues when requests are accepted. It seems the WG hasn't considered these issues. --Tyler
Received on Thursday, 7 February 2008 16:58:41 UTC