Re: FAQ & Use Cases

On 2008-01-16 15:47:18 -0800, Jon Ferraiolo wrote:

>> So, let's be precise.  The HTTP requests can be triggered using
>> img and script.

> Yes, I agree with last sentence, but it is definitely not true
> that data can be retrieved via <img>, and with <script>, it is a
> complicated story.


> My main point is that I don't buy the argument that we shouldn't
> claim that there are so many vulnerabilities today that we
> shouldn't worry about the vulnerabilities that are side-effects
> of Access Control, particularly due to its transmission of
> cookies.

*Unauthorized* data retrieval is not a side-effect of the
access-control spec, since there needs to be an explicit policy in
place in order to enable that data retrieval.

> Thanks for your clear response. Yes, you are right, and I was
> wrong when I said Access Control gets in the way of CSRF
> protection. It's just that it won't be drop-dead simple for a
> server that wants to implement CSRF protection along with Access
> Control. The most popular techniques used today to achieve CSRF
> protection (e.g., hidden form fields holding the nonce) probably
> would warrant some rework to work well in a world that included
> Access Control. But "rework" is different than "get in the way".

Only if the nonce is transmitted along with a policy that lets third
parties access it.  If a site doesn't use the policy mechanism,
things don't change.

Thomas Roessler, W3C  <>

Received on Thursday, 17 January 2008 00:37:38 UTC