Close, Tyler J. wrote:
The widespread vulnerability to XSRF makes it clear that developers
aren't used to thinking about the implications of letting third-party
sites automatically use the user's credentials. That alone suggests
widening the number of cases to think about is dangerous. I am further
arguing that there is nothing to be gained in this widening. Viable
designs require the user's consent for Site B to issue a request to Site
A on the user's behalf. In such a scenario, Site B is claiming to Site A
that the user wants something. Designing the protocol such that Site
B makes this claim without giving Site A any way to verify the claim is
asking for trouble.
I think the main reason CSRF is so common today is that sites just don't
think about the fact that they can be getting requests that originate
from other sites. It's to a much much smaller extent the fact that they
realize that they can get cross site requests, attempt to protect
themselves against it, but fail to do it properly.
Do you know of any incidents where that has been the case?
With access-control sites specifically opt in to getting cross site
requests. So I don't really see how they would not realize that they are
going to then receive those cross site requests.
Back to your privacy comparison, this is not about controlling what you
do with what the user told you, but controlling how you claim to another
that you speak on the user's behalf.
cookies included in the request does not mean that you speak on the
users behalf. It just means that the user is using your site.
/ Jonas
