- From: Mark S. Miller <erights@google.com>
- Date: Sun, 7 Jun 2009 15:46:46 -0700
- To: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Received on Sunday, 7 June 2009 22:47:26 UTC
[- all but Adam and pubic-webapps] On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth <w3c@adambarth.com> wrote: > On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller <erights@google.com> wrote: > > If servers at A don't freely hand out such tokens in response to > guessable GET > > requests, then the secret token prevents XSS-at-A-attacker's XSRF against > B > > from abusing the authority that B associates with A. > > I don't see what GET has to do with it. In any case, the XSS attacker > can always enter the site at the home page (e.g., http://example.com/) > and follow whatever obscure links exist until it reaches the page that > contains the token.[...] If the starting point "http://example.com/" is guessable, then the XSS attacker thereby succeeds at obtaining the token only if the server at example.com hands out the token in response to a guessable sequence of GET requests. If the starting point is not guessable, then I don't understand your example. -- Cheers, --MarkM
Received on Sunday, 7 June 2009 22:47:26 UTC