Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?) from Adam Barth on 2009-12-15 (public-webapps@w3.org from October to December 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 15 Dec 2009 00:09:02 -0800
To: Jonas Sicking <jonas@sicking.cc>
Cc: Tyler Close <tyler.close@gmail.com>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <7789133a0912150009h1e3a6dbckc430225925897bf4@mail.gmail.com>

On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> For what it's worth, I'm not sure that "eliminating" is correct here.
> With UM, I can certainly see people doing things like using a wrapping
> library for all UM requests (very commonly done with XHR today), and
> then letting that library add the security token to the request.

There are real examples of this exact vulnerably occurring in CSRF
defenses based on secret tokens.  There's no silver bullet for
security.

Adam

Received on Tuesday, 15 December 2009 08:09:56 UTC