I would argue that CSRF has become more convenient with CORS. The attacker previously had to open invisible iframes with tailored forms for each HTTP POST he/she wanted to send. Now the attacker can just parameterize and send it via Ajax. Do you agree? Or am I missing a more convenient CSRF POST method for legacy browsers? Regards, John -- My music http://www.johnwilander.com Twitter https://twitter.com/johnwilander CV or Résumé http://johnwilander.se 5 feb 2013 kl. 23:37 skrev "Hill, Brad" <bhill@paypal-inc.com>: > Brandon, > > The requirement is that CORS does not introduce any new Cross-Site Request Forgery attack capabilities not present in legacy user agents. Therefore, all requests that cannot be generated by pre-CORS user agents through methods like GET, POST and HEAD that are available through legacy HTML+JS must be anonymous or pre-authorized. > > The user agent should not send requests with credentials on non-simple HTTP methods unless and until the server indicates it is prepared to accept such by responding to the pre-flight request. > > Does this answer your question? > > -Brad > > From: brandon.sterne@gmail.com [mailto:brandon.sterne@gmail.com] On Behalf Of Brandon Sterne > Sent: Tuesday, February 05, 2013 1:38 PM > To: public-web-security@w3.org > Subject: CORS question > > Hey guys, > > Co-workers of mine were trying to understand the treat model of CORS, and I was having trouble articulating some of the particular risks that the spec attempts to avoid. Why does the OPTIONS pre-flight request never carry credentials? > > Thanks, > Brandon
Received on Wednesday, 6 February 2013 06:52:03 UTC