- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 16 Feb 2010 23:50:34 -0800
- To: Jonathan Rees <jar@creativecommons.org>
- Cc: www-tag@w3.org
Are you asking for something different from what is presented at: http://waterken.sourceforge.net/web-key/#cap_xsrf It's not just that unguessable URIs are helpful in CSRF defense, but rather it is not possible to construct a CSRF attack when the private resource is identified by only an unguessable URI. A CSRF attack depends upon knowing the URL for the private resource. --Tyler On Tue, Feb 16, 2010 at 1:19 PM, Jonathan Rees <jar@creativecommons.org> wrote: > Tyler, > > I think it would be useful in this discussion to have a CSRF defense > use case on hand, since that's where this discussion started [1]. Can > you provide a simple but somewhat realistic scenario where unguessable > URIs might be helpful in CSRF defense? > > Thanks > Jonathan > > [1] http://www.w3.org/2001/tag/2009/06/23-minutes.html#item05 > > Tracker, this is ACTION-278 > -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 17 February 2010 07:51:07 UTC