On Wed, 17 Jun 2009, Mark S. Miller wrote: > > > > I don't really understand what we're trying to prevent here. > > Confused deputies such as XSRF problems. Original paper is at < > http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html>. It's well worth > rereading. Much deeper than it at first appears.
Could you describe a concrete attack that you are concerned about? I don't really see how the article you cite applies here. > Perhaps my own <srl.cs.jhu.edu/pubs/SRL2003-02.pdf> may help. > > The threads and links already cited should make the connection with > browser security clear. Maybe I'm just too stupid for this job, but I don't understand the connection at a concrete level. I mean, I think understand the kind of threats we're talking about, but as far as I can tell, CORS takes care of them all. > I'm not really sure what more to explain. Perhaps you could ask a more > specific question? Could you show some sample code maybe that shows the specific threat you are concerned about? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
