W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: ISSUE 19: Requirements and Usage Scenarios document

From: Arthur Barstow <art.barstow@nokia.com>
Date: Tue, 15 Jan 2008 08:20:32 -0500
Message-Id: <C09FCC78-17AF-4FCB-AAE2-11EA846DB2D3@nokia.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
To: ext Mark Nottingham <mnot@yahoo-inc.com>

Mark,

On Jan 14, 2008, at 11:24 PM, ext Mark Nottingham wrote:
>
> On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote:
>>
>> One thing that strikes me immediately is that there are  
>> requirements about XSS (cross-site scripting) but no mention of  
>> CSRF, which is one of the concern areas from the folks at OpenAjax  
>> Alliance, primarliy due to the current specification saying that  
>> cookies will be sent.
>>
> +1
>
> From what I understand, the response to this concern is usually  
> "that horse has already bolted."
>
> For the record, while I understand this sentiment, I personally  
> don't think it's a good excuse to open the door wider.

Where is the data/analysis that clearly backs your claim (that AC4CSR  
introduces new attack vectors)? My apologies if I missed this (but  
please do send me the pointer(s)).

Thanks, Art Barstow
---
Received on Tuesday, 15 January 2008 13:20:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC