[cap-talk] CORS and GIFAR attacks
Adam Barth
cap-talk at adambarth.com
Wed Oct 7 13:20:10 EDT 2009
On Wed, Oct 7, 2009 at 10:06 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> 2009/10/7 Sandro Magi <naasking at higherlogics.com>
>> And yet, I can't help but note that the unique token approaches
>> suggested by myself and David Chizmadia would not be vulnerable to any
>> such attacks, since we already assume that the client may be hostile.
>
> Can these unique token approaches be implemented and standardised with the
> same level of effort required to deploy CORS?
My understanding is that these approaches do not need to be
implemented by browsers at all. The protocol is more akin to OpenID
or OAuth in that sense. You should feel to write specifications and
convince server operators to use this approach.
Adam
More information about the cap-talk
mailing list