On Tue, 23 Oct 2007, Anne van Kesteren wrote: > > One of our security guys is not happy with cross-site authenticated GET > requests without some sort of verification from the server beforehand > that it is actually ok to do that. Even though this is already possible > to do so currently using <img> and <iframe> he thinks that practice > shouldn't be further supported by making it mandatory for user agents to > support that. The thought being that it might be possible to improve the > situation for <img>/<iframe>/etc. at some point in the future. Any > thoughts?
It will always be possible to do cross-site requests for <img>, <iframe>, <script>, <form>, ... there are billions of pages depending on it. What is the attack vector that is being mitigated by not allowing it? GETs are by definition supposed to be side-effect-free. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
