On 2008-03-17 19:52:18 -0700, Sunava Dutta wrote: > The Access-Control spec notes that:
> Authors are to ensure that GET requests on their > applications have no side effects. If by some means an > attacker finds out what applications a user is associated > with, it might "attack" these applications with GET > requests that can effect [sic] the user's data (if the user > is already authenticated with any of these applications by > means of cookies or HTTP authentication). > I'm concerned that this note suggests that the spec fails to meet > its own requirement #2: > Must not require content authors or site maintainers to > implement new or additional security protections to > preserve their existing level of security protection. > ...As cookies and HTTP authentication are commonly used security > protections yet they are sent by cross-origin requests. CSRF is > already a growing problem in the wild, and the Access-Control > mechanism requires that web developers understand extremely > subtle aspects of the security model to keep their sites secure. I'm not sure how subtle the GET vs POST aspect really is -- after all, Web developers who use GET with side effects without employing mitigating techniques will already expose themselves to: - any clients or proxies that assume that GET is idempotent - attackers' ability to place pretty arbitrary GET requests with HTTP authentication headers and cookies, cross-site That's not new, and it's not made worse in any significant way by the access-control spec. -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
