Re: [WEB SECURITY] Seeking feedback on proposed security restriction in the browsers

["pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>]

comments inlined :)

On 8/13/07, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:
> Hey pdp - Interesting comments.  I'm responding to just a few of them.
>
> On 8/11/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
> > Also keep in mind that this solution will stop only POST based CSRF
> > attacks. Those based on GET cannot be stopped.
>
> I don't see why this has to be the case.  Why shouldn't policies like
> the one Anurag described apply equally to all request methods?  More
> to the point, why shouldn't we build a system that lets web masters
> describe "allow known good" types of policies?
>

The reason I mentioned that is because GET is usually in a form of a
link or image. If you block these then you break the most fundamental
principle the web is based on.

> <snip>
> > So yes, we can setup a policy but it will never take off. First of all
> > standardization bodies needs to except it. Then browsers have to
> > implement it and we have a browser war going on at the moment. No
> > developer will implement a standard that is not widely adopted.
>
> HttpOnly has been widely adopted, despite being proposed without
> approval of a standards body.  All of the major browser vendors
> recognize that security is a problem.  Good ideas will catch on.  W3C
> will catch up eventually. =)
>
> Cheers,
> Brian
>


-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]