Re http://w3ctag.github.io/capability-urls/ The introduction mentions CSRF defense as a reason to use capability URLs: a session-specific token within the URL created by a form submission (a type of capability URL) helps to protect against cross-site request forgery <http://en.wikipedia.org/wiki/Cross-site_request_forgery> ... but this security reason is not listed later in the document in the lists of reasons. The omission seems odd, given that (1) it is given as a reason in the introduction, (2) the capability community gives CSRF (or 'confused deputy') defense as a primary reason to use capabilities and (3) the TAG discussed CSRF defense quite a bit back in 2009 when we worked on this topic. I'd suggest adding CSRF defense as a short section 3.x, and adding it to the summary list in section 5. Best Jonathan (there was lots of discussion but here is one thing I wrote at the time in case it helps http://www.w3.org/2001/tag/doc/resource-protection/)Received on Friday, 10 October 2014 17:04:26 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:06 UTC