GET becoming unsafe?
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
GET becoming unsafe?
by David Orchard-3
::
Rate this Message:
I saw some discussion from that TAG minutes about cross-site scripting
and GET's perhaps becoming viewed as unsafe. While not quite the example of the GET resulting in POST, our mobile web based apps are never performing POST because of cross-site scripting restrictions so we use GET for all operations. As I've mentioned before, this pains me. The interesting problems is that our mobile application is a browser based app using phonegap. phonegap allows us to do cross platform mobile development using web technologies. The application is a bundle of phonegap + all our code. We can access all the device specific information, such as location using an api. This is no different from native code. Thus the browser sandbox, specifically cross-site, is completely inappropriate for an app that uses an embedded browser. Yet we have to deal with it so it's all GET. There's some irony that doing cross platform web based development using html, javascript, etc. requires breaking one of the crucial foundations of Web Arch. Cheers, Dave |
|
|
Re: GET becoming unsafe?
by Anne van Kesteren-2
::
Rate this Message:
On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote:
> There's some irony that doing cross platform web based development > using html, javascript, etc. requires breaking one of the crucial > foundations of Web Arch. We're working on fixing it (as you know): http://www.w3.org/TR/cors/ -- Anne van Kesteren http://annevankesteren.nl/ |
|
|
Re: GET becoming unsafe?
by Jonathan Rees-3
::
Rate this Message:
Anne,
Let me see if I understand this: Dave can't do POSTs, so his applications are using GET instead. Because the servers allow these GETs, they expose their clients to CSRF attacks. With CORS, a protocol will be defined, and presumably implemented by savvy servers and clients, that will permit certain explicitly authorized cross-site POST requests, so the pressure to abuse GET will be relieved, and the CSRF risk will evaporate. The platforms Dave uses will become convinced somehow that CORS is low-risk, will start to implement it, and everyone will be happy. Yes? Thanks Jonathan On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote: > On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote: >> There's some irony that doing cross platform web based development >> using html, javascript, etc. requires breaking one of the crucial >> foundations of Web Arch. > > We're working on fixing it (as you know): > > http://www.w3.org/TR/cors/ > > > -- > Anne van Kesteren > http://annevankesteren.nl/ > > |
|
|
Re: GET becoming unsafe?
by David Orchard-3
::
Rate this Message:
The subtlety that I'm bringing up is that the browser hasn't been
built with the idea that itself could be embedded within a trusted application. I *could* do callouts to native code to do the POSTs on the device, but I'd rather stay with the wonderfully documented XHR (thanks Anne!). This is not they typical cross-site scripting, because the 2 sites are the local device and the server. Dave On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> wrote: > Anne, > > Let me see if I understand this: Dave can't do POSTs, so his > applications are using GET instead. Because the servers allow these > GETs, they expose their clients to CSRF attacks. With CORS, a protocol > will be defined, and presumably implemented by savvy servers and > clients, that will permit certain explicitly authorized cross-site > POST requests, so the pressure to abuse GET will be relieved, and the > CSRF risk will evaporate. The platforms Dave uses will become > convinced somehow that CORS is low-risk, will start to implement it, > and everyone will be happy. Yes? > > Thanks > Jonathan > > On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote: >> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote: >>> There's some irony that doing cross platform web based development >>> using html, javascript, etc. requires breaking one of the crucial >>> foundations of Web Arch. >> >> We're working on fixing it (as you know): >> >> http://www.w3.org/TR/cors/ >> >> >> -- >> Anne van Kesteren >> http://annevankesteren.nl/ >> >> > |
|
|
Re: GET becoming unsafe?
by Jonathan Rees-3
::
Rate this Message:
Thanks Dave - I'm kind of slow here, and not sure I completely
understand your scenario - but no matter, the purpose of my question to Anne was to surface issues like this, and maybe the tactic is working. I would like to understand how CORS will work once deployed and what its limits will be. Do you agree with Anne's statement that CORS will eventually address your situation somehow? Jonathan On Fri, Jun 5, 2009 at 2:17 PM, David Orchard <orchard@...> wrote: > The subtlety that I'm bringing up is that the browser hasn't been > built with the idea that itself could be embedded within a trusted > application. I *could* do callouts to native code to do the POSTs on > the device, but I'd rather stay with the wonderfully documented XHR > (thanks Anne!). This is not the typical cross-site scripting, > because the 2 sites are the local device and the server. > > Dave > > On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> wrote: >> Anne, >> >> Let me see if I understand this: Dave can't do POSTs, so his >> applications are using GET instead. Because the servers allow these >> GETs, they expose their clients to CSRF attacks. With CORS, a protocol >> will be defined, and presumably implemented by savvy servers and >> clients, that will permit certain explicitly authorized cross-site >> POST requests, so the pressure to abuse GET will be relieved, and the >> CSRF risk will evaporate. The platforms Dave uses will become >> convinced somehow that CORS is low-risk, will start to implement it, >> and everyone will be happy. Yes? >> >> Thanks >> Jonathan >> >> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote: >>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote: >>>> There's some irony that doing cross platform web based development >>>> using html, javascript, etc. requires breaking one of the crucial >>>> foundations of Web Arch. >>> >>> We're working on fixing it (as you know): >>> >>> http://www.w3.org/TR/cors/ >>> >>> >>> -- >>> Anne van Kesteren >>> http://annevankesteren.nl/ >>> >>> >> > |
|
|
Re: GET becoming unsafe?
by Anne van Kesteren-2
::
Rate this Message:
On Fri, 05 Jun 2009 17:17:05 +0200, Jonathan Rees
<jar@...> wrote: > Let me see if I understand this: Dave can't do POSTs, so his > applications are using GET instead. Because the servers allow these > GETs, they expose their clients to CSRF attacks. With CORS, a protocol > will be defined, and presumably implemented by savvy servers and > clients, that will permit certain explicitly authorized cross-site > POST requests, so the pressure to abuse GET will be relieved, and the > CSRF risk will evaporate. The platforms Dave uses will become > convinced somehow that CORS is low-risk, will start to implement it, > and everyone will be happy. Yes? Yes. (It actually has other benefits too such as being able to read the response without letting the third party execute JavaScript on your page which should help adoption.) -- Anne van Kesteren http://annevankesteren.nl/ |
|
|
Re: GET becoming unsafe?
by Karl Dubost-3
::
Rate this Message:
Le 4 juin 2009 à 04:52, Anne van Kesteren a écrit : > On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@... > > wrote: >> There's some irony that doing cross platform web based development >> using html, javascript, etc. requires breaking one of the crucial >> foundations of Web Arch. > > We're working on fixing it (as you know): > > http://www.w3.org/TR/cors/ POST becoming getting a safe mask? Styling buttons to look like links http://natbat.net/2009/Jun/10/styling-buttons-as-links/ |
|
|
Re: GET becoming unsafe?
by David Orchard-3
::
Rate this Message:
Thanks for the link. Natalie is awesome. So's Simon :-)
Cheers, Dave On Wed, Jun 10, 2009 at 8:13 PM, Karl Dubost<karl+w3c@...> wrote: > > Le 4 juin 2009 à 04:52, Anne van Kesteren a écrit : >> >> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard >> <orchard@...> wrote: >>> >>> There's some irony that doing cross platform web based development >>> using html, javascript, etc. requires breaking one of the crucial >>> foundations of Web Arch. >> >> We're working on fixing it (as you know): >> >> http://www.w3.org/TR/cors/ > > > > POST becoming getting a safe mask? > > Styling buttons to look like links > http://natbat.net/2009/Jun/10/styling-buttons-as-links/ > > > |
|
|
Re: GET becoming unsafe?
by John Kemp (Nokia-S&S/Williamstown)
::
Rate this Message:
Hi Dave,
ext David Orchard wrote: > The subtlety that I'm bringing up is that the browser hasn't been > built with the idea that itself could be embedded within a trusted > application. What is a "trusted application" for the purposes of this discussion? Trusted by whom? > I *could* do callouts to native code to do the POSTs on > the device, but I'd rather stay with the wonderfully documented XHR > (thanks Anne!). This is not they typical cross-site scripting, > because the 2 sites are the local device and the server. My grandmother used to say "never trust a client, no matter what jiggery-pokery the client is capable of". - johnk > > Dave > > On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> wrote: >> Anne, >> >> Let me see if I understand this: Dave can't do POSTs, so his >> applications are using GET instead. Because the servers allow these >> GETs, they expose their clients to CSRF attacks. With CORS, a protocol >> will be defined, and presumably implemented by savvy servers and >> clients, that will permit certain explicitly authorized cross-site >> POST requests, so the pressure to abuse GET will be relieved, and the >> CSRF risk will evaporate. The platforms Dave uses will become >> convinced somehow that CORS is low-risk, will start to implement it, >> and everyone will be happy. Yes? >> >> Thanks >> Jonathan >> >> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote: >>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote: >>>> There's some irony that doing cross platform web based development >>>> using html, javascript, etc. requires breaking one of the crucial >>>> foundations of Web Arch. >>> We're working on fixing it (as you know): >>> >>> http://www.w3.org/TR/cors/ >>> >>> >>> -- >>> Anne van Kesteren >>> http://annevankesteren.nl/ >>> >>> > |
|
|
Re: GET becoming unsafe?
by David Orchard-3
::
Rate this Message:
The application is trusted by the user as they have paid for and
installed it on their device. It is trusted by the device to the extent that any application is trusted by the device. Applications that aren't built on a browser have access to whatever the device's sandbox gives them. There is a sandbox for all applications, for example other applications files and configurations are not available. Cheers, Dave On Fri, Jun 12, 2009 at 6:38 AM, John Kemp<john.kemp@...> wrote: > Hi Dave, > > ext David Orchard wrote: >> >> The subtlety that I'm bringing up is that the browser hasn't been >> built with the idea that itself could be embedded within a trusted >> application. > > What is a "trusted application" for the purposes of this discussion? Trusted > by whom? > >> I *could* do callouts to native code to do the POSTs on >> the device, but I'd rather stay with the wonderfully documented XHR >> (thanks Anne!). This is not they typical cross-site scripting, >> because the 2 sites are the local device and the server. > > My grandmother used to say "never trust a client, no matter what > jiggery-pokery the client is capable of". > > - johnk > >> >> Dave >> >> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> >> wrote: >>> >>> Anne, >>> >>> Let me see if I understand this: Dave can't do POSTs, so his >>> applications are using GET instead. Because the servers allow these >>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol >>> will be defined, and presumably implemented by savvy servers and >>> clients, that will permit certain explicitly authorized cross-site >>> POST requests, so the pressure to abuse GET will be relieved, and the >>> CSRF risk will evaporate. The platforms Dave uses will become >>> convinced somehow that CORS is low-risk, will start to implement it, >>> and everyone will be happy. Yes? >>> >>> Thanks >>> Jonathan >>> >>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> >>> wrote: >>>> >>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard >>>> <orchard@...> wrote: >>>>> >>>>> There's some irony that doing cross platform web based development >>>>> using html, javascript, etc. requires breaking one of the crucial >>>>> foundations of Web Arch. >>>> >>>> We're working on fixing it (as you know): >>>> >>>> http://www.w3.org/TR/cors/ >>>> >>>> >>>> -- >>>> Anne van Kesteren >>>> http://annevankesteren.nl/ >>>> >>>> >> > > |
| Free embeddable forum powered by Nabble | Forum Help |
