- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 17 Jan 2008 01:37:26 +0100
- To: Jon Ferraiolo <jferrai@us.ibm.com>
- Cc: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
On 2008-01-16 15:47:18 -0800, Jon Ferraiolo wrote: >> So, let's be precise. The HTTP requests can be triggered using >> img and script. > Yes, I agree with last sentence, but it is definitely not true > that data can be retrieved via <img>, and with <script>, it is a > complicated story. Right. > My main point is that I don't buy the argument that we shouldn't > claim that there are so many vulnerabilities today that we > shouldn't worry about the vulnerabilities that are side-effects > of Access Control, particularly due to its transmission of > cookies. *Unauthorized* data retrieval is not a side-effect of the access-control spec, since there needs to be an explicit policy in place in order to enable that data retrieval. > Thanks for your clear response. Yes, you are right, and I was > wrong when I said Access Control gets in the way of CSRF > protection. It's just that it won't be drop-dead simple for a > server that wants to implement CSRF protection along with Access > Control. The most popular techniques used today to achieve CSRF > protection (e.g., hidden form fields holding the nonce) probably > would warrant some rework to work well in a world that included > Access Control. But "rework" is different than "get in the way". Only if the nonce is transmitted along with a policy that lets third parties access it. If a site doesn't use the policy mechanism, things don't change. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Thursday, 17 January 2008 00:37:38 UTC