- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 27 Oct 2009 17:06:08 +0100
- To: "Adam Barth" <w3c@adambarth.com>, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
- Cc: public-webapps@w3.org
On Sat, 24 Oct 2009 19:07:24 +0200, Adam Barth <w3c@adambarth.com> wrote: > On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood > <david-sarah@jacaranda.org> wrote: >> The specific risk is quite clear: it's the risk of CSRF attacks that >> are currently prevented (or mitigated) by the same-origin policy. >> These won't be prevented or mitigated to the same extent by browsers >> that implement CORS. > > The reason the risk is unclear is because this scenario requires > servers to opt-in to this behavior. It's hard for us to know what > else server operators will do when they opt in to CORS. > > What is clear, however, is that in the simple cases, there is no > additional CSRF risk because the set of requests an attacker can > generate is not expanded by CORS. This is not limited to the simple cases, for what it's worth. It requires opt-in in all cases. By default everything is pretty much the same and the same as far as servers are concerned. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 27 October 2009 16:07:46 UTC