Re: GET becoming unsafe?

Hi Dave,

ext David Orchard wrote:
> The subtlety that I'm bringing up is that the browser hasn't been
> built with the idea that itself could be embedded within a trusted
> application.

What is a "trusted application" for the purposes of this discussion? 
Trusted by whom?

>  I *could* do callouts to native code to do the POSTs on
> the device, but I'd rather stay with the wonderfully documented XHR
> (thanks Anne!).  This is not they typical cross-site scripting,
> because the 2 sites are the local device and the server.

My grandmother used to say "never trust a client, no matter what 
jiggery-pokery the client is capable of".

- johnk

> 
> Dave
> 
> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@creativecommons.org> wrote:
>> Anne,
>>
>> Let me see if I understand this: Dave can't do POSTs, so his
>> applications are using GET instead. Because the servers allow these
>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
>> will be defined, and presumably implemented by savvy servers and
>> clients, that will permit certain explicitly authorized cross-site
>> POST requests, so the pressure to abuse GET will be relieved, and the
>> CSRF risk will evaporate. The platforms Dave uses will become
>> convinced somehow that CORS is low-risk, will start to implement it,
>> and everyone will be happy. Yes?
>>
>> Thanks
>> Jonathan
>>
>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@opera.com> wrote:
>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@pacificspirit.com> wrote:
>>>> There's some irony that doing cross platform web based development
>>>> using html, javascript, etc. requires breaking one of the crucial
>>>> foundations of Web Arch.
>>> We're working on fixing it (as you know):
>>>
>>>  http://www.w3.org/TR/cors/
>>>
>>>
>>> --
>>> Anne van Kesteren
>>> http://annevankesteren.nl/
>>>
>>>
> 

Received on Friday, 12 June 2009 13:39:19 UTC