Thomas Roessler <[EMAIL PROTECTED]> wrote on 04/14/2008 08:21:50 AM:
> On 2008-04-14 08:07:10 -0700, Jon Ferraiolo wrote: > > > On the architecture side, Access Control is just plain wrong, > > with the PEP on the client instead of the server, which requires > > data to be sent along the pipe to the client, where the client is > > trusted to discard the data if the user isn't allowed to see the > > data; it is just plain architecturally wrong to transmit data > > that is not meant to be seen. > > This seems to confuse the attacker model a bit. It's not about the > user not being permitted to see the data, it's about a web > application from a different origin not being allowed to manipulate > the data, even though the user is allowed to see the data. The comment in question wasn't about CSRF or other data-setting attacks on a server, but instead about how it is architecturally wrong to send data that ultimately will be thrown out when it reaches the client. If I was outside of the standards world and wrote some code that did this, I would be embarrassed to show such an implementation during a code walkthrough. The policy check should be done before the data is transmitted. Jon
