Bjoern Hoehrmann wrote:
* Anne van Kesteren wrote:
You already said that. I'm not sure how you think that helps.
I think Thomas read you as saying it's good practise if authors of web
services that handle POST requests secure their service against cross-
site <form> submissions, but do not secure them against cross-site XHR
requests, whereas you were really saying, authors have to do the former
and might not currently do the latter, independent of good practises.
His point is that you really have to secure them against both, whatever
that may mean for a particular service, so there is no difference from
the perspective of the author's site. The relevance of your distinction
to the discussion is that one wants to minimize the ways in which web
browsers can be used to attack poorly secured web services, and Thomas
was asking to which degree this actually has security benefits.
Why do you have to currently check for cross-site XHR POST requests? I
would argue that you don't, and that there very likely are servers out
there that don't. Thus, if we simply allowed cross-site XHR POST
requests we'd make such servers vulnerable whereas they didn't used to.
I agree that there very likely are servers out there that are vulnerable
to cross site <form> POST requests. That is bad, but I don't think that
is anything we can nor should do anything about here.
/ Jonas
