- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Mon, 30 Jul 2007 15:06:03 -0400
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-wsc-wg@w3.org
- Message-ID: <OF6032A5EF.7D01606E-ON85257328.0068558B-85257328.0068ED98@LocalDomain>
> > The issue I have with the parenthesis is that I don't see what's > > in our scope that could possibly deal with the "pure action" form > > of CSRF (as opposed to one that also requires the user to input > > data). By "pure action" I mean a URL based web application > > command that the user can legitimately issue (particularly when > > they are in an authenticated session with the web application). > > The defenses I know of to address that all take the form of tying > > the URL command to the user's session (with a nonce, for > > example) so that the URL command cannot be easily, blindly > > generated by the "attacker" as something the user will mistakenly > > click on. > > Well, this is getting into HTTP POST vs. GET discussions: Use GET > for side-effect free activities, use POST for side-effect bearing > activities. Don't play with nonces and GET in order to poorly > imitate POST. > > I think the threats that are listed in the wiki below this > particular high-level theme indeed sound as if they are in scope, > and I also think the "cause an action" part is a useful explanation, > so I'd propose we keep the current text. Thank you for referring me to the threats in the wiki. The attacks are all form based, not "pure actions" (without any additional user data). The parenthetical part of your proposal (which you stripped from this thread) implies that we're covering "pure action" CSRFs. We're not. It should be removed. Otherwise, the text is great.
Received on Monday, 30 July 2007 19:06:27 UTC