Mike Ter Louw wrote:
There is a usability issue here: is it more usable (w.r.t. the web
developer) to:
(1) support a declaration of "anti-csrf" and enable the widest default
set of protections that could be offered against CSRF (without being too
strict as to break the most common use cases), but possibly having
multiple modules specifying (complementary) form policies, or
(2) group all form-related policies in a single module, even if the
policies address fundamentally different attacks?
Is it acceptable (not too strict) to block all form submission to
non-self and non-whitelisted action URIs when the anti-csrf directive is
given? If so, then the above usability issue may be moot: we can have
anti-csrf imply an as-yet-undefined directive that blocks form submission.
Mike
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
