- From: Jonathan Rees <jar@creativecommons.org>
- Date: Fri, 5 Jun 2009 11:17:05 -0400
- To: Anne van Kesteren <annevk@opera.com>
- Cc: David Orchard <orchard@pacificspirit.com>, Technical Architecture Group WG <www-tag@w3.org>
Anne, Let me see if I understand this: Dave can't do POSTs, so his applications are using GET instead. Because the servers allow these GETs, they expose their clients to CSRF attacks. With CORS, a protocol will be defined, and presumably implemented by savvy servers and clients, that will permit certain explicitly authorized cross-site POST requests, so the pressure to abuse GET will be relieved, and the CSRF risk will evaporate. The platforms Dave uses will become convinced somehow that CORS is low-risk, will start to implement it, and everyone will be happy. Yes? Thanks Jonathan On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote: >> There's some irony that doing cross platform web based development >> using html, javascript, etc. requires breaking one of the crucial >> foundations of Web Arch. > > We're working on fixing it (as you know): > > http://www.w3.org/TR/cors/ > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > >
Received on Friday, 5 June 2009 15:17:45 UTC