« Return to Thread: GET becoming unsafe?
Re: GET becoming unsafe?
by John Kemp (Nokia-S&S/Williamstown)
::
Rate this Message:
Hi Dave,
ext David Orchard wrote:
> The subtlety that I'm bringing up is that the browser hasn't been
> built with the idea that itself could be embedded within a trusted
> application.
What is a "trusted application" for the purposes of this discussion?
Trusted by whom?
> I *could* do callouts to native code to do the POSTs on
> the device, but I'd rather stay with the wonderfully documented XHR
> (thanks Anne!). This is not they typical cross-site scripting,
> because the 2 sites are the local device and the server.
My grandmother used to say "never trust a client, no matter what
jiggery-pokery the client is capable of".
- johnk
>
> Dave
>
> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> wrote:
>> Anne,
>>
>> Let me see if I understand this: Dave can't do POSTs, so his
>> applications are using GET instead. Because the servers allow these
>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
>> will be defined, and presumably implemented by savvy servers and
>> clients, that will permit certain explicitly authorized cross-site
>> POST requests, so the pressure to abuse GET will be relieved, and the
>> CSRF risk will evaporate. The platforms Dave uses will become
>> convinced somehow that CORS is low-risk, will start to implement it,
>> and everyone will be happy. Yes?
>>
>> Thanks
>> Jonathan
>>
>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote:
>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote:
>>>> There's some irony that doing cross platform web based development
>>>> using html, javascript, etc. requires breaking one of the crucial
>>>> foundations of Web Arch.
>>> We're working on fixing it (as you know):
>>>
>>> http://www.w3.org/TR/cors/
>>>
>>>
>>> --
>>> Anne van Kesteren
>>> http://annevankesteren.nl/
>>>
>>>
>
ext David Orchard wrote:
> The subtlety that I'm bringing up is that the browser hasn't been
> built with the idea that itself could be embedded within a trusted
> application.
What is a "trusted application" for the purposes of this discussion?
Trusted by whom?
> I *could* do callouts to native code to do the POSTs on
> the device, but I'd rather stay with the wonderfully documented XHR
> (thanks Anne!). This is not they typical cross-site scripting,
> because the 2 sites are the local device and the server.
My grandmother used to say "never trust a client, no matter what
jiggery-pokery the client is capable of".
- johnk
>
> Dave
>
> On Fri, Jun 5, 2009 at 8:17 AM, Jonathan Rees<jar@...> wrote:
>> Anne,
>>
>> Let me see if I understand this: Dave can't do POSTs, so his
>> applications are using GET instead. Because the servers allow these
>> GETs, they expose their clients to CSRF attacks. With CORS, a protocol
>> will be defined, and presumably implemented by savvy servers and
>> clients, that will permit certain explicitly authorized cross-site
>> POST requests, so the pressure to abuse GET will be relieved, and the
>> CSRF risk will evaporate. The platforms Dave uses will become
>> convinced somehow that CORS is low-risk, will start to implement it,
>> and everyone will be happy. Yes?
>>
>> Thanks
>> Jonathan
>>
>> On Thu, Jun 4, 2009 at 4:52 AM, Anne van Kesteren <annevk@...> wrote:
>>> On Wed, 03 Jun 2009 20:29:34 +0200, David Orchard <orchard@...> wrote:
>>>> There's some irony that doing cross platform web based development
>>>> using html, javascript, etc. requires breaking one of the crucial
>>>> foundations of Web Arch.
>>> We're working on fixing it (as you know):
>>>
>>> http://www.w3.org/TR/cors/
>>>
>>>
>>> --
>>> Anne van Kesteren
>>> http://annevankesteren.nl/
>>>
>>>
>
« Return to Thread: GET becoming unsafe?
| Free embeddable forum powered by Nabble | Forum Help |
