- From: Arthur Barstow <art.barstow@nokia.com>
- Date: Tue, 15 Jan 2008 08:20:32 -0500
- To: ext Mark Nottingham <mnot@yahoo-inc.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Mark, On Jan 14, 2008, at 11:24 PM, ext Mark Nottingham wrote: > > On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote: >> >> One thing that strikes me immediately is that there are >> requirements about XSS (cross-site scripting) but no mention of >> CSRF, which is one of the concern areas from the folks at OpenAjax >> Alliance, primarliy due to the current specification saying that >> cookies will be sent. >> > +1 > > From what I understand, the response to this concern is usually > "that horse has already bolted." > > For the record, while I understand this sentiment, I personally > don't think it's a good excuse to open the door wider. Where is the data/analysis that clearly backs your claim (that AC4CSR introduces new attack vectors)? My apologies if I missed this (but please do send me the pointer(s)). Thanks, Art Barstow ---
Received on Tuesday, 15 January 2008 13:20:56 UTC