W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 13 Feb 2015 12:29:23 +0100
Message-ID: <CADnb78hH9szYGYLZ6SacGifJ6VzN4ZTCbOfOG=OaNFugMCyBww@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: Brad Hill <hillbrad@gmail.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Ross <drx@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Feb 13, 2015 at 12:13 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote:
> I spent some time trying to make a poor-man EPR with ServiceWorkers and it
> didn't work. Since ServiceWorkers dont get invoked on resource requests
> (XHR, <img>, etc) then one can't use them to protect against CSRF.

Service workers are involved in those fetches. As long as the service
worker is controlling the client (document/worker) that initiates
them.


> That said, ServiceWorkers can be used effectively to "break linking in the
> web". Since it's already possible to "break linking on the web" with
> ServiceWorkers, we need to either fix SWs, or allow EPR.

That's not how it works.


Even if Referer or service workers were an effective mechanism, that
doesn't mean that we need to add another mechanism. And so far it's
still unclear what is being solved in terms of XSS that CSP does not
address. And in terms of XSRF, it seems we should prioritize work on
cookies.


-- 
https://annevankesteren.nl/
Received on Friday, 13 February 2015 11:29:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC