On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo <[EMAIL PROTECTED]>
wrote:
I described a CSRF scenario in
http://lists.w3.org/Archives/Public/public-appformats/2008Jan/0072.html.
Search for the word "attack". My example attack vector depends on cookies
being sent as part of the cross-site request and assumes that the
simplicity of using Access Control would result is widespread adoption
by a
new generation of unsophisticated web service developers who will open up
their APIs to mashup applications without understanding the consequences.
Note that the big CSRF worry here is that cookies are sent with the
requests.
Cookies are already sent for <img>, <script>, and <form> requests. Nothing
new. If people mindless opt in we have might have a problem (though it's
really the people that opt in that do), but I would expect that
dalmationlovers.invalid & co are using some off the shelf software.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
