- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 5 Jun 2009 19:12:29 +0200
- To: noah_mendelsohn@us.ibm.com
- Cc: www-tag@w3.org
On 5 Jun 2009, at 16:06, noah_mendelsohn@us.ibm.com wrote: >> In that circumstance, a "log out to prevent XSRF" practice just >> doesn't make sense. > > Well, it does if the collection of applications/sites you have active > includes at most one in which you have login credentials giving > permission > to access or change sensitive information. For myself, I try to > maintain > that self-imposed restriction, and it would be easier and safer if > my user > agent helped me to do that. I'm not saying that this is a complete > solution, but maybe a piece of the puzzle. For example, if the user > agent > were aware of such logins being active, it could warn when a script > from > another site was taking advantage of them. I suspect that we're operating from divergent assumptions how Web applications will develop and be used: I fully expect that we'll see more and more mash-ups where the browser will need access to private data hosted on different origins at the same time for the applications to function. I also expect that we'll see more, not less, different Web applications being used in parallel by the user. If we think of the Web as an application platform, then the behavior that you suggest seems to get fairly close to only ever running a single application on a PC.
Received on Friday, 5 June 2009 17:12:37 UTC