Re: ISSUE 19: Requirements and Usage Scenarios document

On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <>  
> I described a CSRF scenario in
> Search for the word "attack". My example attack vector depends on cookies
> being sent as part of the cross-site request and assumes that the
> simplicity of using Access Control would result is widespread adoption  
> by a
> new generation of unsophisticated web service developers who will open up
> their APIs to mashup applications without understanding the consequences.
> Note that the big CSRF worry here is that cookies are sent with the
> requests.

Cookies are already sent for <img>, <script>, and <form> requests. Nothing  
new. If people mindless opt in we have might have a problem (though it's  
really the people that opt in that do), but I would expect that  
dalmationlovers.invalid & co are using some off the shelf software.

Anne van Kesteren

Received on Tuesday, 15 January 2008 15:54:52 UTC