- From: David Orchard <orchard@pacificspirit.com>
- Date: Fri, 5 Jun 2009 11:17:59 -0700
- To: Jonathan Rees <jar@creativecommons.org>
- Cc: Anne van Kesteren <annevk@opera.com>, Technical Architecture Group WG <www-tag@w3.org>
The subtlety that I'm bringing up is that the browser hasn't been built with the idea that itself could be embedded within a trusted application. I *could* do callouts to native code to do the POSTs on the device, but I'd rather stay with the wonderfully documented XHR (thanks Anne!). This is not they typical cross-site scripting, because the 2 sites are the local device and the server. Dave On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org> wrote: > Anne, > > Let me see if I understand this: Dave can't do POSTs, so his > applications are using GET instead. Because the servers allow these > GETs, they expose their clients to CSRF attacks. With CORS, a protocol > will be defined, and presumably implemented by savvy servers and > clients, that will permit certain explicitly authorized cross-site > POST requests, so the pressure to abuse GET will be relieved, and the > CSRF risk will evaporate. The platforms Dave uses will become > convinced somehow that CORS is low-risk, will start to implement it, > and everyone will be happy. Yes? > > Thanks > Jonathan > > On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote: >> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote: >>> There's some irony that doing cross platform web based development >>> using html, javascript, etc. requires breaking one of the crucial >>> foundations of Web Arch. >> >> We're working on fixing it (as you know): >> >> http://www.w3.org/TR/cors/ >> >> >> -- >> Anne van Kesteren >> http://annevankesteren.nl/ >> >> >
Received on Friday, 5 June 2009 18:18:39 UTC