- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 22 Feb 2008 16:41:16 -0800
- To: "Close, Tyler J." <tyler.close@hp.com>, "WAF WG (public)" <public-appformats@w3.org>
Close, Tyler J. wrote: > The widespread vulnerability to XSRF makes it clear that developers > aren't used to thinking about the implications of letting third-party > sites automatically use the user's credentials. That alone suggests > widening the number of cases to think about is dangerous. I am further > arguing that there is nothing to be gained in this widening. Viable > designs require the user's consent for Site B to issue a request to Site > A on the user's behalf. In such a scenario, Site B is claiming to Site A > that the user wants something. Designing the protocol such that Site > B makes this claim without giving Site A any way to verify the claim is > asking for trouble. I think the main reason CSRF is so common today is that sites just don't think about the fact that they can be getting requests that originate from other sites. It's to a much much smaller extent the fact that they realize that they can get cross site requests, attempt to protect themselves against it, but fail to do it properly. Do you know of any incidents where that has been the case? With access-control sites specifically opt in to getting cross site requests. So I don't really see how they would not realize that they are going to then receive those cross site requests. > Back to your privacy comparison, this is not about controlling what you > do with what the user told you, but controlling how you claim to another > that you speak on the user's behalf. cookies included in the request does not mean that you speak on the users behalf. It just means that the user is using your site. / Jonas
Received on Saturday, 23 February 2008 00:41:46 UTC