Anne van Kesteren wrote: > On Thu, 07 Feb 2008 01:11:31 +0100, Close, Tyler J. > <[EMAIL PROTECTED]> > wrote: > > Anne van Kesteren wrote: > >> What is recommended for this for cross-site GET and POST today? > > > > Today, browsers and sites cooperate to prevent cross-domain > requests. > > Actually, no, that is not true. Today you can issue cross-site GET and > POST requests which is why I asked the question.
A browser may issue a cross-site request, but some servers are setup to recognize these requests and reject them; those servers that don't may be vulnerable to Cross Site Request Forgery (XSRF) attacks. The role of the server in rejecting these requests is what I was referring to when I said: "browsers and sites cooperate to prevent cross-domain requests". There is server-side cooperation in the prevention. A key point in this issue is that today, browsers and servers cooperate to *prevent* these requests; whereas this WG wants them to cooperate on *accepting* requests. There are no accountability issues in a rejected request, since the request isn't processed. There may be accountability issues when requests are accepted. It seems the WG hasn't considered these issues. --Tyler
