- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 24 Oct 2009 10:07:24 -0700
- To: David-Sarah Hopwood <david-sarah@jacaranda.org>
- Cc: public-webapps@w3.org
On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood <david-sarah@jacaranda.org> wrote: > The specific risk is quite clear: it's the risk of CSRF attacks that > are currently prevented (or mitigated) by the same-origin policy. > These won't be prevented or mitigated to the same extent by browsers > that implement CORS. The reason the risk is unclear is because this scenario requires servers to opt-in to this behavior. It's hard for us to know what else server operators will do when they opt in to CORS. What is clear, however, is that in the simple cases, there is no additional CSRF risk because the set of requests an attacker can generate is not expanded by CORS. Adam
Received on Saturday, 24 October 2009 17:08:17 UTC