W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

[cors] Uniform Messaging, a CSRF resistant profile of CORS

From: Tyler Close <tyler.close@gmail.com>
Date: Fri, 20 Nov 2009 17:04:16 -0800
Message-ID: <5691356f0911201704s6e6d3c8aod3d4f98835f5a6c1@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
MarkM and I have produced a draft specification for the GuestXHR
functionality we've been advocating. The W3C style specification
document is attached. We look forward to any feedback on it.

We agree with others that "GuestXHR" was not a good name and so have
named the proposal "Uniform Messaging" for reasons elaborated in the

To parallel the CORS separation of policy from API, this first
document is the policy specification with an XMLHttpRequest-like API
yet to follow.

This document defines a mechanism to enable requests that are
independent of the client's context. Using this mechanism, a client
can engage in cross-site messaging without the danger of
Cross-Site-Request-Forgery and similar attacks that abuse the cookies
and other HTTP headers that form a client's context. For example, code
from customer.example.org can use this mechanism to send requests to
resources determined by service.example.com without further need to
protect the client's context.


Received on Saturday, 21 November 2009 01:04:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:02 UTC