Hi Mark,
Thanks for your feedback. At a high level, you seem concerned about
very advanced sites (e.g., ones use object-capability mashups). The
Origin-header-as-CSRF-defense is aimed at making CSRF defense easier
for simple sites. Just like you need to do complex gymnastics to
avoid XSS when
On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller erig...@google.com wrote:
[+www-tag]
I have received several private responses to my post, but oddly, nothing
public yet. In these responses, I have been asked most frequently about:
Sorry for the lag in public comments.
On Wed, Jun 3, 2009 at
On Sun, Jun 7, 2009 at 12:17 PM, Adam Barth w...@adambarth.com wrote:
On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller erig...@google.com
wrote:
Since malicious machines, or malicious applications running on trusted
machines, can sent messages that aren't self-identified as cross origin,
On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote:
While I clearly am concerned about object-capability mashups, from your
response, and from some private responses I've received, I have clearly
created some confusion by leading with this example. The point I am making
On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller erig...@google.com wrote:
If the hypothesis I am raising is indeed not a problem, then it doesn't
matter whether these same origin requests carry Origin: null or nothing.
What matters is that JavaScript code have a standard way to request their
[- all but Adam and pubic-webapps]
On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote:
If servers at A don't freely hand out such tokens in response to
guessable GET
requests, then the secret token
On Sun, Jun 7, 2009 at 3:46 PM, Mark S. Miller erig...@google.com wrote:
[- all but Adam and pubic-webapps]
On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote:
If servers at A don't freely hand out
On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth w...@adambarth.com wrote:
GET really doesn't have anything to do with it. The attacker can
issue POST requests (and really any other method) too. Note that the
attacker can read the response and follow any links, etc.
Recall that we were examining
On Sun, Jun 7, 2009 at 4:18 PM, Mark S. Miller erig...@google.com wrote:
On Sun, Jun 7, 2009 at 3:54 PM, Adam Barth w...@adambarth.com wrote:
GET really doesn't have anything to do with it. The attacker can
issue POST requests (and really any other method) too. Note that the
attacker can
On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth w...@adambarth.com wrote:
Right, but once the attacker has XSSed site A, the attacker learns the
secret token necessary to issue the next request in the chain to site
A regardless of the method.
Recall that this is in response to
On Sun, Jun 7,
10 matches
Mail list logo