- From: Tyler Close <tyler.close@gmail.com>
- Date: Sat, 13 Jun 2009 05:39:58 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote: >> Isn't your answer above only about client (user agent) behavior? I'd still >> like understand what the recommended/expected difference in server behavior >> should/might be depending of whether Origin is absent or null. Thanks. > > Suppose GuestXHR doesn't send an Origin header for any requests and a > server uses the algorithm in draft-abarth-origin to mitigate CSRF > attacks. Now, an attacker can mount a CSRF attack against the server. Could you provide a bit more detail here? I don't understand how an attacker could mount a CSRF attack using GuestXHR, if there are no user credentials in a GuestXHR request. It seems to me that Origin is only about telling a server how to treat user credentials attached to a request. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Saturday, 13 June 2009 12:40:33 UTC