- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 18 Jun 2009 07:32:56 +0000 (UTC)
- To: "Mark S. Miller" <erights@google.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Tyler Close <tyler.close@gmail.com>, Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > I don't really understand what we're trying to prevent here. > > Confused deputies such as XSRF problems. Original paper is at < > http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It's well worth > rereading. Much deeper than it at first appears. Could you describe a concrete attack that you are concerned about? I don't really see how the article you cite applies here. > Perhaps my own <srl.cs.jhu.edu/pubs/SRL2003-02.pdf> may help. > > The threads and links already cited should make the connection with > browser security clear. Maybe I'm just too stupid for this job, but I don't understand the connection at a concrete level. I mean, I think understand the kind of threats we're talking about, but as far as I can tell, CORS takes care of them all. > I'm not really sure what more to explain. Perhaps you could ask a more > specific question? Could you show some sample code maybe that shows the specific threat you are concerned about? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 18 June 2009 07:33:31 UTC