W3C home > Mailing lists > Public > www-tag@w3.org > October 2014

Belated comment on capability URLs

From: Jonathan A Rees <rees@mumble.net>
Date: Fri, 10 Oct 2014 13:03:59 -0400
Message-ID: <CAGnGFMKxDWzLKQdZUcZs4Ct7EiZmBosUF-mFdZXB1O+mBM0OGg@mail.gmail.com>
To: "www-tag@w3.org" <www-tag@w3.org>
Re http://w3ctag.github.io/capability-urls/

The introduction mentions CSRF defense as a reason to use capability URLs:

a session-specific token within the URL created by a form submission (a
type of capability URL) helps to protect against cross-site request forgery
<http://en.wikipedia.org/wiki/Cross-site_request_forgery>

... but this security reason is not listed later in the document in the
lists of reasons.

The omission seems odd, given that (1) it is given as a reason in the
introduction, (2) the capability community gives CSRF (or 'confused
deputy') defense as a primary reason to use capabilities and (3) the TAG
discussed CSRF defense quite a bit back in 2009 when we worked on this
topic.

I'd suggest adding CSRF defense as a short section 3.x, and adding it to
the summary list in section 5.

Best
Jonathan

(there was lots of discussion but here is one thing I wrote at the time in
case it helps http://www.w3.org/2001/tag/doc/resource-protection/)
Received on Friday, 10 October 2014 17:04:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:06 UTC