Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller <erights@google.com> wrote:
> If the hypothesis I am raising is indeed not a problem, then it doesn't
> matter whether these same origin requests carry "Origin: null" or nothing.
> What matters is that JavaScript code have a standard way to request their
> browser to issue requests carrying no other credentials, even if back to the
> same origin.

Yeah, I can see that as being useful.  I encourage you to propose a
new API that does this.  The Origin-header-as-CSRF-defense already
provides for this possibility.  Is there something specific you'd like
me to change in the I-D to support this new API?

Adam

Received on Sunday, 7 June 2009 22:29:42 UTC