- From: John Kemp <john.kemp@nokia.com>
- Date: Fri, 12 Jun 2009 09:38:18 -0400
- To: ext David Orchard <orchard@pacificspirit.com>
- CC: Jonathan Rees <jar@creativecommons.org>, Anne van Kesteren <annevk@opera.com>, Technical Architecture Group WG <www-tag@w3.org>
Hi Dave, ext David Orchard wrote: > The subtlety that I'm bringing up is that the browser hasn't been > built with the idea that itself could be embedded within a trusted > application. What is a "trusted application" for the purposes of this discussion? Trusted by whom? > I *could* do callouts to native code to do the POSTs on > the device, but I'd rather stay with the wonderfully documented XHR > (thanks Anne!). This is not they typical cross-site scripting, > because the 2 sites are the local device and the server. My grandmother used to say "never trust a client, no matter what jiggery-pokery the client is capable of". - johnk > > Dave > > On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org> wrote: >> Anne, >> >> Let me see if I understand this: Dave can't do POSTs, so his >> applications are using GET instead. Because the servers allow these >> GETs, they expose their clients to CSRF attacks. With CORS, a protocol >> will be defined, and presumably implemented by savvy servers and >> clients, that will permit certain explicitly authorized cross-site >> POST requests, so the pressure to abuse GET will be relieved, and the >> CSRF risk will evaporate. The platforms Dave uses will become >> convinced somehow that CORS is low-risk, will start to implement it, >> and everyone will be happy. Yes? >> >> Thanks >> Jonathan >> >> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote: >>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote: >>>> There's some irony that doing cross platform web based development >>>> using html, javascript, etc. requires breaking one of the crucial >>>> foundations of Web Arch. >>> We're working on fixing it (as you know): >>> >>> http://www.w3.org/TR/cors/ >>> >>> >>> -- >>> Anne van Kesteren >>> http://annevankesteren.nl/ >>> >>> >
Received on Friday, 12 June 2009 13:39:19 UTC