Mark,
On Jan 14, 2008, at 11:24 PM, ext Mark Nottingham wrote:
On 09/01/2008, at 1:36 PM, Jon Ferraiolo wrote:
One thing that strikes me immediately is that there are
requirements about XSS (cross-site scripting) but no mention of
CSRF, which is one of the concern areas from the folks at OpenAjax
Alliance, primarliy due to the current specification saying that
cookies will be sent.
+1
From what I understand, the response to this concern is usually
"that horse has already bolted."
For the record, while I understand this sentiment, I personally
don't think it's a good excuse to open the door wider.
Where is the data/analysis that clearly backs your claim (that AC4CSR
introduces new attack vectors)? My apologies if I missed this (but
please do send me the pointer(s)).
Thanks, Art Barstow
---
