W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Proposed CSRF countermeasure

From: John Wilander <john.wilander@owasp.org>
Date: Tue, 20 Aug 2013 10:54:40 +0200
Message-ID: <CALrECXAcYPuNTAsuBPNki=ROL_BB6urkAZNjxBf5cZg-dNKCOw@mail.gmail.com>
To: Mike Shema <mshema@qualys.com>
Cc: public-webappsec <public-webappsec@w3.org>
2013/8/15 Mike Shema <mshema@qualys.com>

> An SOS policy may be applied to one or more cookies for a web application
> on a per-cookie or collective basis. The policy controls whether the
> browser includes those cookies during cross-origin requests. (A
> cross-origin resource cannot access a cookie from another origin, but it
> may generate a request that causes the cookie to be included.)

Michal mentioned it but it wasn't clear to me  does your proposal apply
only to CORS or to all cross-origin requests (iframes, frame sets, images,
scripts, style sheets, form gets/posts etc)?

   Regards, John
Received on Tuesday, 20 August 2013 08:55:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC