- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 15 Jan 2008 16:52:34 +0100
- To: "Jon Ferraiolo" <jferrai@us.ibm.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <jferrai@us.ibm.com> wrote: > I described a CSRF scenario in > http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html. > Search for the word "attack". My example attack vector depends on cookies > being sent as part of the cross-site request and assumes that the > simplicity of using Access Control would result is widespread adoption > by a > new generation of unsophisticated web service developers who will open up > their APIs to mashup applications without understanding the consequences. > Note that the big CSRF worry here is that cookies are sent with the > requests. Cookies are already sent for <img>, <script>, and <form> requests. Nothing new. If people mindless opt in we have might have a problem (though it's really the people that opt in that do), but I would expect that dalmationlovers.invalid & co are using some off the shelf software. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 15 January 2008 15:54:52 UTC