RE: Accountability in AC4CSR from Close, Tyler J. on 2008-02-12 (public-appformats@w3.org from February 2008)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 12 Feb 2008 02:57:13 +0000
To: Ian Hickson <ian@hixie.ch>
CC: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D074F8B650D@G6W0269.americas.hpqcorp.net>

Close, Tyler J. wrote:
> +Robbing the user+
>
> For this scenario:
>
> resource host: acting faithfully
> third-party script: acting dishonestly
> user: acting honestly
>
> In this scenario, the third party script seeks to cause
> changes to the resource that the resource host will blame on the user.
>
> The third-party script sends exactly the same HTTP POST
> request shown in "Framing the Referer".

Or rather, almost exactly the same request. The "recipient" identifier identifies an account belonging to the third-party script's author. So:

POST /spendMoney HTTP/1.1
Host: honestBank.com
Referer-Root: https://honestBlogger.com
Cookie: "user's authentication tokens"
Content-Type: application/json

{
  "recipient": "honestBlogger's accomplice account",
  "amount": "20 bucks"
}

--Tyler

Received on Tuesday, 12 February 2008 02:58:20 UTC