Re: Cross Site Request Forgery and GET (ACTION-274) from noah_mendelsohn@us.ibm.com on 2009-06-05 (www-tag@w3.org from June 2009)

From: <noah_mendelsohn@us.ibm.com>
Date: Fri, 5 Jun 2009 14:12:32 -0400
To: Thomas Roessler <tlr@w3.org>
Cc: www-tag@w3.org
Message-ID: <OFE309A34C.36CBE928-ON852575CC.0063E8CE-852575CC.006408FE@lotus.com>

Thomas Roessler wrote:

> I suspect that we're operating from divergent assumptions how Web 
> applications will develop and be used:  I fully expect that we'll see 
> more and more mash-ups where the browser will need access to private 
> data hosted on different origins at the same time for the applications 
> to function.  I also expect that we'll see more, not less, different 
> Web applications being used in parallel by the user.

Fair enough, thank you.
 
Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








Thomas Roessler <tlr@w3.org>
06/05/2009 01:12 PM
 
        To:     noah_mendelsohn@us.ibm.com
        cc:     www-tag@w3.org
        Subject:        Re: Cross Site Request Forgery and GET 
(ACTION-274)


On 5 Jun 2009, at 16:06, noah_mendelsohn@us.ibm.com wrote:

>> In that circumstance, a "log out to prevent XSRF" practice just
>> doesn't make sense.
>
> Well, it does if the collection of applications/sites you have active
> includes at most one in which you have login credentials giving 
> permission
> to access or change sensitive information.  For myself, I try to 
> maintain
> that self-imposed restriction, and it would be easier and safer if 
> my user
> agent helped me to do that.  I'm not saying that this is a complete
> solution, but maybe a piece of the puzzle.  For example, if the user 
> agent
> were aware of such logins being active, it could warn when a script 
> from
> another site was taking advantage of them.

I suspect that we're operating from divergent assumptions how Web 
applications will develop and be used:  I fully expect that we'll see 
more and more mash-ups where the browser will need access to private 
data hosted on different origins at the same time for the applications 
to function.  I also expect that we'll see more, not less, different 
Web applications being used in parallel by the user.

If we think of the Web as an application platform, then the behavior 
that you suggest seems to get fairly close to only ever running a 
single application on a PC.

Received on Friday, 5 June 2009 18:13:20 UTC