Re: ACTION-243 Propose link from note to threat trees (ISSUE-77) from Thomas Roessler on 2007-07-30 (public-wsc-wg@w3.org from July 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 30 Jul 2007 15:19:56 -0400
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20070730191956.GA2974@raktajino.does-not-exist.org>

On 2007-07-30 15:06:03 -0400, Mary Ellen Zurko wrote:

>>> The issue I have with the parenthesis is that I don't see
>>> what's in our scope that could possibly deal with the "pure
>>> action" form of CSRF (as opposed to one that also requires
>>> the user to input data). By "pure action" I mean a URL based
>>> web application command that the user can legitimately issue
>>> (particularly when they are in an authenticated session with
>>> the web application). The defenses I know of to address that
>>> all take the form of tying the URL command to the user's
>>> session (with a nonce, for example) so that the URL command
>>> cannot be easily, blindly generated by the "attacker" as
>>> something the user will mistakenly click on.

>> Well, this is getting into HTTP POST vs. GET discussions: Use
>> GET for side-effect free activities, use POST for side-effect
>> bearing activities.  Don't play with nonces and GET in order to
>> poorly imitate POST.

http://www.w3.org/2001/tag/doc/whenToUseGet.html#safe

This finding includes a lot of good stuff on when to use and when
not to use POST; your example actually sounds like abuse of GET with
all kinds of interesting consequences.

I remember all kinds of interesting interactions when some common
browser toolbar started pre-fetching URLs linked from pages (based
on GET being safe).  Therefore, careful!

>> I think the threats that are listed in the wiki below this
>> particular high-level theme indeed sound as if they are in
>> scope, and I also think the "cause an action" part is a useful
>> explanation, so I'd propose we keep the current text.

> Thank you for referring me to the threats in the wiki. The
> attacks are all form based, not "pure actions" (without any
> additional user data). The parenthetical part of your proposal
> (which you stripped from this thread) implies that we're covering
> "pure action" CSRFs. We're not. It should be removed. Otherwise,
> the text is great. 

Back on topic, Tyler has replaced the text in question with other
material, so I think this action and the discussion about it is
obsolete.

Ups.

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 30 July 2007 19:20:05 UTC