[cap-talk] CORS and GIFAR attacks
Toby Murray
toby.murray at comlab.ox.ac.uk
Wed Oct 7 13:06:36 EDT 2009
2009/10/7 Sandro Magi <naasking at higherlogics.com>
> Adam Barth wrote:
> > Yes. GIFAR breaks all browser security mechanisms because the
> > attacker gets to run arbitrary script with the privileges of the
> > victim web site. We shouldn't view this as a problem with CORS but as
> > a problem with GIFAR or the web security model in general.
>
> And yet, I can't help but note that the unique token approaches
> suggested by myself and David Chizmadia would not be vulnerable to any
> such attacks, since we already assume that the client may be hostile.
>
Can these unique token approaches be implemented and standardised with the
same level of effort required to deploy CORS?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20091007/0ac5ff9b/attachment.html
More information about the cap-talk
mailing list