- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 07 Feb 2008 18:07:42 +0100
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Thu, 07 Feb 2008 17:57:48 +0100, Close, Tyler J. <tyler.close@hp.com> wrote: > Anne van Kesteren wrote: >> Actually, no, that is not true. Today you can issue cross-site GET and >> POST requests which is why I asked the question. > > A browser may issue a cross-site request, but some servers are setup to > recognize these requests and reject them; those servers that don't may > be vulnerable to Cross Site Request Forgery (XSRF) attacks. The role of > the server in rejecting these requests is what I was referring to when I > said: "browsers and sites cooperate to prevent cross-domain requests". > There is server-side cooperation in the prevention. Actually, a large number of servers are set up to process them. Cross-site <script> and <img> requests are pretty common. To serve advertisements and counters for instance. > A key point in this issue is that today, browsers and servers cooperate > to *prevent* these requests; whereas this WG wants them to cooperate on > *accepting* requests. There are no accountability issues in a rejected > request, since the request isn't processed. There may be accountability > issues when requests are accepted. It seems the WG hasn't considered > these issues. I'm not sure what makes you say that. It might be good to point this out in the security consideration section though. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 7 February 2008 17:04:28 UTC