- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 4 Nov 2009 21:05:21 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Tyler Close <tyler.close@gmail.com>, WebApps WG <public-webapps@w3.org>
On Wed, Nov 4, 2009 at 6:04 PM, Maciej Stachowiak <mjs@apple.com> wrote: > > I forgot to mention another shared secret management risk with the proposed > GuestXHR-based protocol. The protocol involves passing the shared secret in > URLs, including URLs that will appear in the browser's URL field. URLs > should not be considered confidential - there have a high tendency to get > inadvertently exposed to third parties. Some of the ways this happens > include caching layers, the browser history (particularly shared sync of the > browser history), and users copying URLs out of the URL field without > considering whether this particular URL contains a secret. > > I believe this can be fixed by always transmitting the shared secret in the > body of an https POST rather than as part of the URL, so this risk is not > intrinsic to this style of protocol. What about headers? We could allocate a specific header which is allowed to be set for cross site requests. / Jonas
Received on Thursday, 5 November 2009 05:06:20 UTC