Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

Hey pdp - Interesting comments.  I'm responding to just a few of them.

On 8/11/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
> Also keep in mind that this solution will stop only POST based CSRF
> attacks. Those based on GET cannot be stopped.

I don't see why this has to be the case.  Why shouldn't policies like
the one Anurag described apply equally to all request methods?  More
to the point, why shouldn't we build a system that lets web masters
describe "allow known good" types of policies?

<snip>
> So yes, we can setup a policy but it will never take off. First of all
> standardization bodies needs to except it. Then browsers have to
> implement it and we have a browser war going on at the moment. No
> developer will implement a standard that is not widely adopted.

HttpOnly has been widely adopted, despite being proposed without
approval of a standards body.  All of the major browser vendors
recognize that security is a problem.  Good ideas will catch on.  W3C
will catch up eventually. =)

Cheers,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]