On Sat, 24 Oct 2009 19:07:24 +0200, Adam Barth <w...@adambarth.com> wrote:
On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood
<david-sa...@jacaranda.org> wrote:
The specific risk is quite clear: it's the risk of CSRF attacks that
are currently prevented (or mitigated) by the same-origin policy.
These won't be prevented or mitigated to the same extent by browsers
that implement CORS.
The reason the risk is unclear is because this scenario requires
servers to opt-in to this behavior. It's hard for us to know what
else server operators will do when they opt in to CORS.
What is clear, however, is that in the simple cases, there is no
additional CSRF risk because the set of requests an attacker can
generate is not expanded by CORS.
This is not limited to the simple cases, for what it's worth. It requires
opt-in in all cases. By default everything is pretty much the same and the
same as far as servers are concerned.
--
Anne van Kesteren
http://annevankesteren.nl/
