W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] Uniform Messaging, a CSRF resistant profile of CORS

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 23 Nov 2009 09:33:51 -0800
Message-ID: <5691356f0911230933u41eed6c5m942bfb95dd06f884@mail.gmail.com>
To: public-webapps <public-webapps@w3.org>
I made some minor edits and formatting improvements to the document
sent out on Friday. The new version is attached. If you read the prior
version, there's no need to review the new one. If you're just getting
started, use the attached copy.


On Fri, Nov 20, 2009 at 5:04 PM, Tyler Close <tyler.close@gmail.com> wrote:
> MarkM and I have produced a draft specification for the GuestXHR
> functionality we've been advocating. The W3C style specification
> document is attached. We look forward to any feedback on it.
> We agree with others that "GuestXHR" was not a good name and so have
> named the proposal "Uniform Messaging" for reasons elaborated in the
> specification.
> To parallel the CORS separation of policy from API, this first
> document is the policy specification with an XMLHttpRequest-like API
> yet to follow.
> Abstract:
> """
> This document defines a mechanism to enable requests that are
> independent of the client's context. Using this mechanism, a client
> can engage in cross-site messaging without the danger of
> Cross-Site-Request-Forgery and similar attacks that abuse the cookies
> and other HTTP headers that form a client's context. For example, code
> from customer.example.org can use this mechanism to send requests to
> resources determined by service.example.com without further need to
> protect the client's context.
> """
> Thanks,
> --Tyler

"Waterken News: Capability security on the Web"

Received on Monday, 23 November 2009 17:34:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:02 UTC