- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 06 Jun 2009 00:19:36 +0200
- To: "Jonathan Rees" <jar@creativecommons.org>
- Cc: "David Orchard" <orchard@pacificspirit.com>, "Technical Architecture Group WG" <www-tag@w3.org>
On Fri, 05 Jun 2009 17:17:05 +0200, Jonathan Rees <jar@creativecommons.org> wrote: > Let me see if I understand this: Dave can't do POSTs, so his > applications are using GET instead. Because the servers allow these > GETs, they expose their clients to CSRF attacks. With CORS, a protocol > will be defined, and presumably implemented by savvy servers and > clients, that will permit certain explicitly authorized cross-site > POST requests, so the pressure to abuse GET will be relieved, and the > CSRF risk will evaporate. The platforms Dave uses will become > convinced somehow that CORS is low-risk, will start to implement it, > and everyone will be happy. Yes? Yes. (It actually has other benefits too such as being able to read the response without letting the third party execute JavaScript on your page which should help adoption.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 5 June 2009 22:20:27 UTC