- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Mon, 30 Jul 2007 13:39:43 -0400
- To: tlr@w3.org
- Cc: public-wsc-wg@w3.org
- Message-ID: <OF5DF05443.CAE442DD-ON85257328.00607F12-85257328.0061061A@LocalDomain>
responding to: http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jun/0242.html Sorry I didn't catch this earlier. I'm fine with all of it, except the paranthetical part of this one: > 3. Cross-site request forgery - causing a user to > unwittingly send, to a legitimate site, a request containing > data that he/she would not otherwise intend to send (e.g. to > perform an action that he/she did not intend to take). > The issue I have with the parenthesis is that I don't see what's in our scope that could possibly deal with the "pure action" form of CSRF (as opposed to one that also requires the user to input data). By "pure action" I mean a URL based web application command that the user can legitimately issue (particularly when they are in an authenticated session with the web application). The defenses I know of to address that all take the form of tying the URL command to the user's session (with a nonce, for example) so that the URL command cannot be easily, blindly generated by the "attacker" as something the user will mistakenly click on. If someone can show an example of the sort of thing that we might do in the "pure action" CSRF area, then I'm OK leaving the parenthetical part in. Otherwise, I'd like to remove it. Either way, the rest of the text is good, and should be incorporated.
Received on Monday, 30 July 2007 17:40:05 UTC