W3C home > Mailing lists > Public > www-tag@w3.org > October 2014

Belated comment on capability URLs

From: Jonathan A Rees <rees@mumble.net>
Date: Fri, 10 Oct 2014 13:03:59 -0400
Message-ID: <CAGnGFMKxDWzLKQdZUcZs4Ct7EiZmBosUF-mFdZXB1O+mBM0OGg@mail.gmail.com>
To: "www-tag@w3.org" <www-tag@w3.org>
Re http://w3ctag.github.io/capability-urls/

The introduction mentions CSRF defense as a reason to use capability URLs:

a session-specific token within the URL created by a form submission (a
type of capability URL) helps to protect against cross-site request forgery

... but this security reason is not listed later in the document in the
lists of reasons.

The omission seems odd, given that (1) it is given as a reason in the
introduction, (2) the capability community gives CSRF (or 'confused
deputy') defense as a primary reason to use capabilities and (3) the TAG
discussed CSRF defense quite a bit back in 2009 when we worked on this

I'd suggest adding CSRF defense as a short section 3.x, and adding it to
the summary list in section 5.


(there was lots of discussion but here is one thing I wrote at the time in
case it helps http://www.w3.org/2001/tag/doc/resource-protection/)
Received on Friday, 10 October 2014 17:04:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:06 UTC