- From: Thomas Roessler <tlr@w3.org>
- Date: Mon, 30 Jul 2007 14:52:28 -0400
- To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Cc: public-wsc-wg@w3.org
On 2007-07-30 13:39:43 -0400, Mary Ellen Zurko wrote: > The issue I have with the parenthesis is that I don't see what's > in our scope that could possibly deal with the "pure action" form > of CSRF (as opposed to one that also requires the user to input > data). By "pure action" I mean a URL based web application > command that the user can legitimately issue (particularly when > they are in an authenticated session with the web application). > The defenses I know of to address that all take the form of tying > the URL command to the user's session (with a nonce, for > example) so that the URL command cannot be easily, blindly > generated by the "attacker" as something the user will mistakenly > click on. Well, this is getting into HTTP POST vs. GET discussions: Use GET for side-effect free activities, use POST for side-effect bearing activities. Don't play with nonces and GET in order to poorly imitate POST. I think the threats that are listed in the wiki below this particular high-level theme indeed sound as if they are in scope, and I also think the "cause an action" part is a useful explanation, so I'd propose we keep the current text. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Monday, 30 July 2007 18:52:38 UTC