W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: Cross Site Request Forgery and GET (ACTION-274)

From: <noah_mendelsohn@us.ibm.com>
Date: Fri, 5 Jun 2009 10:06:01 -0400
To: Thomas Roessler <tlr@w3.org>
Cc: www-tag@w3.org
Message-ID: <OF4BFC32B4.58AC20AB-ON852575CC.004D4567-852575CC.004D77C2@lotus.com>
> In that circumstance, a "log out to prevent XSRF" practice just 
> doesn't make sense.

Well, it does if the collection of applications/sites you have active 
includes at most one in which you have login credentials giving permission 
to access or change sensitive information.  For myself, I try to maintain 
that self-imposed restriction, and it would be easier and safer if my user 
agent helped me to do that.  I'm not saying that this is a complete 
solution, but maybe a piece of the puzzle.  For example, if the user agent 
were aware of such logins being active, it could warn when a script from 
another site was taking advantage of them.


Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142

Thomas Roessler <tlr@w3.org>
06/05/2009 09:56 AM
        To:     noah_mendelsohn@us.ibm.com
        cc:     www-tag@w3.org
        Subject:        Re: Cross Site Request Forgery and GET 

On 5 Jun 2009, at 00:36, noah_mendelsohn@us.ibm.com wrote:

> Granting that naive users won't know to do this, and even 
> sophisticated
> users can easily forget: to what extent can individuals protect 
> themselves
> by logging off from one site before visiting another.

In theory, that would help (though there are some tricks to cause 
logins when form fillers are active).

The real point here is, though, that today's web browsers will run 
several web applications at the same time; these applications might 
come from different origins, depend on each other, and talk to each 

In that circumstance, a "log out to prevent XSRF" practice just 
doesn't make sense.
Received on Friday, 5 June 2009 14:06:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:29 UTC