On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson <[email protected]> wrote: > But... we want the page talking on behalf of the user. That's the point > of a browser.
Not in this way. At least not according to Roy Fielding (Mr. REST) < http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html>. > I don't really understand what we're trying to prevent here. > Confused deputies such as XSRF problems. Original paper is at < http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It's well worth rereading. Much deeper than it at first appears. Perhaps my own <srl.cs.jhu.edu/pubs/SRL2003-02.pdf> may help. The threads and links already cited should make the connection with browser security clear. I'm not really sure what more to explain. Perhaps you could ask a more specific question? -- Cheers, --MarkM
