- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 4 Nov 2009 20:20:00 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: WebApps WG <public-webapps@w3.org>
Hi Maciej, Thanks for the many responses. I'll try to get to them all shortly, but I'd like to start by clarifying one point... On Wed, Nov 4, 2009 at 5:57 PM, Maciej Stachowiak <mjs@apple.com> wrote: > On Nov 4, 2009, at 4:51 PM, Tyler Close wrote: > 2) I strongly disagree with the final sentence on that page: "As discussed > at Tuesday's TPAC meeting, Maciej's solution is vulnerable to a CSRF-like > attack by Server A on Server B if the "add event" URL provided by Server A > actually refers to a resource on Server B." The scenario I posted does *not* > involve Server A providing a URL to Server B and does not have a > vulnerability. How does Server B get the URL if not from Server A? The URL is supposed to refer to a resource on Server A, so only Server A can provide its value. Somehow, Server B must get the URL from Server A. That communication, however it is done, is vulnerable to a CSRF-like attack. --Tyler
Received on Thursday, 5 November 2009 04:20:33 UTC