Re: XHR and sandboxed iframes (was: Re: XHR without user credentials)

On Wed, Jun 17, 2009 at 5:09 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Miller<erights@google.com> wrote:
> > On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson <ian@hixie.ch> wrote:
> >> But... we want the page talking on behalf of the user. That's the point
> >> of a browser.
> >
> > Not in this way. At least not according to Roy Fielding (Mr. REST)
> > <http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html>.
>
> That email also claims that "CSRF is not a security issue for the
> Web," so I guess we need not worry about these issues.  :)
>

C'mon Adam, I was citing that regarding what "the point of a browser" is.
That same paragraph goes on to say

If browsers
>> create a security issue because they allow scripts to automatically
>> direct requests with stored security credentials onto third-party
>> sites, without any user intervention/configuration, then the obvious
>> fix is within the browser.
>>
>
As he says, browsers created this security issue by cross-origin
presentation of ambient credentials. Had they not, then CSRF would not have
been a security issue for the web. I don't agree that we can fix browsers as
he proposes. As we all know, the weight of legacy mistakes is too great.
However, so long as we are in the midst of proposing new mechanisms, we
should endeavor to free these new mechanisms from repeating these old
mistakes.

-- 
   Cheers,
   --MarkM

Received on Thursday, 18 June 2009 00:17:06 UTC