- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 3 Jan 2008 17:50:28 +0000
- To: Jon Ferraiolo <jferrai@us.ibm.com>, Anne van Kesteren <annevk@opera.com>
- CC: Ian Hickson <ian@hixie.ch>, Mark Nottingham <mnot@yahoo-inc.com>, "public-appformats@w3.org" <public-appformats@w3.org>
Hi Jon,
Jon Ferraiolo wrote:
> * The Access Control mechanism MUST not broaden the attack
> surface for hackers, particularly with regard to CSRF
Could you elaborate a bit on this contraint? For example, one interpretation might be that the currently proposed mechanism violates this constraint since any cookies or HTTP Auth credentials the user may have are included in the request sent to the server (the opposite of what's done in the JSONRequest proposal). In essense, the current proposal is one for determining the set of hosts that are allowed to issue CSRF requests, which is a broadening of the CSRF attack surface.
On a related note, I'm uncomfortable with the use of the term access-control in this specification and discussion, since the discussed mechanism doesn't actually control access. For example, it is not a replacement for whatever mechanism a server is currently using to determine whether or not to process a received request. You can't add an XML PI to your document and say: "Good, that takes care of access-control!" The current naming of elements, headers and discussion terminology might lead one to believe so.
--Tyler
--
[1] "Access Control for Cross-site Requests"
<http://www.w3.org/TR/access-control/>
Received on Thursday, 3 January 2008 17:52:16 UTC