On 2008-01-16 15:47:18 -0800, Jon Ferraiolo wrote: >> So, let's be precise. The HTTP requests can be triggered using >> img and script.
> Yes, I agree with last sentence, but it is definitely not true > that data can be retrieved via <img>, and with <script>, it is a > complicated story. Right. > My main point is that I don't buy the argument that we shouldn't > claim that there are so many vulnerabilities today that we > shouldn't worry about the vulnerabilities that are side-effects > of Access Control, particularly due to its transmission of > cookies. *Unauthorized* data retrieval is not a side-effect of the access-control spec, since there needs to be an explicit policy in place in order to enable that data retrieval. > Thanks for your clear response. Yes, you are right, and I was > wrong when I said Access Control gets in the way of CSRF > protection. It's just that it won't be drop-dead simple for a > server that wants to implement CSRF protection along with Access > Control. The most popular techniques used today to achieve CSRF > protection (e.g., hidden form fields holding the nonce) probably > would warrant some rework to work well in a world that included > Access Control. But "rework" is different than "get in the way". Only if the nonce is transmitted along with a policy that lets third parties access it. If a site doesn't use the policy mechanism, things don't change. -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
