W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: FAQ & Use Cases

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 17 Jan 2008 01:37:26 +0100
To: Jon Ferraiolo <jferrai@us.ibm.com>
Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
Message-ID: <20080117003726.GM363@iCoaster.does-not-exist.org>

On 2008-01-16 15:47:18 -0800, Jon Ferraiolo wrote:

>> So, let's be precise.  The HTTP requests can be triggered using
>> img and script.

> Yes, I agree with last sentence, but it is definitely not true
> that data can be retrieved via <img>, and with <script>, it is a
> complicated story.

Right.

> My main point is that I don't buy the argument that we shouldn't
> claim that there are so many vulnerabilities today that we
> shouldn't worry about the vulnerabilities that are side-effects
> of Access Control, particularly due to its transmission of
> cookies.

*Unauthorized* data retrieval is not a side-effect of the
access-control spec, since there needs to be an explicit policy in
place in order to enable that data retrieval.

> Thanks for your clear response. Yes, you are right, and I was
> wrong when I said Access Control gets in the way of CSRF
> protection. It's just that it won't be drop-dead simple for a
> server that wants to implement CSRF protection along with Access
> Control. The most popular techniques used today to achieve CSRF
> protection (e.g., hidden form fields holding the nonce) probably
> would warrant some rework to work well in a world that included
> Access Control. But "rework" is different than "get in the way".

Only if the nonce is transmitted along with a policy that lets third
parties access it.  If a site doesn't use the policy mechanism,
things don't change.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Thursday, 17 January 2008 00:37:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC