- From: Jonathan Rees <jar@creativecommons.org>
- Date: Wed, 25 Nov 2009 07:37:43 -0500
- To: Dan Connolly <connolly@w3.org>
- Cc: www-tag@w3.org
I read this. If I understand correctly it specifies a way for a server to declare that a particular resource is either public (doesn't need protection) or is adequately protected using some mechanism other than SOP (e.g. unguessability). If a resource opts in to this system, then cross-origin uses are allowed by the client. Examples (a) a server could say that a style sheet doesn't need protection from cross-origin access (b) a server could say that a resource named by an unguessable URI doesn't need SOP protection from cross-origin access (because access to the URI itself is protected in some way) Cross-origin requests are scrubbed of credentials and therefore pick up no ambient authority (cookies, Origin:, etc). When a cross-origin request is made, the container (browser) checks the response for cross-origin-request opt-in before giving any information about the resource to the requesting script (section 6.3). Because the request contains no ambient authority, the only possible CSRF attacks would involve resources that are supposed to be protected by a firewall or client IP address, for which the server mistakenly opts in to cross-origin requests... this would require an active effort to do something wrong. Jonathan On Tue, Nov 24, 2009 at 11:47 PM, Dan Connolly <connolly@w3.org> wrote: > FYI, re ACTION-331, tracking the confused deputy issue in CORS work > > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0914.html > > I haven't looked at the proposal closely, so I can't vouch > for the claim in the subject/title. > > -- > Dan Connolly, W3C http://www.w3.org/People/Connolly/ > gpg D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E >
Received on Wednesday, 25 November 2009 12:38:23 UTC