[cap-talk] Security considerations for cookies
Adam Barth
w3c at adambarth.com
Wed Feb 17 12:09:06 PST 2010
On Wed, Feb 17, 2010 at 10:52 AM, Tyler Close <tyler.close at gmail.com> wrote:
> Maybe something like the above will hit developer's brain pan in a
> more permanent way.
Thanks Tyler. I've changed the text to:
[[
<t>Although this security concern goes by a number of names (e.g.,
cross-site request forgery, confused deputy), the issue stems from
cookies being a form of ambient authority. Cookies encourage server
operators to separate designation (in the form of URLs) from
authorization (in the form of cookies). Consequently, the user agent
might supply the authorization for a resource designated by the
attacker, possibly causing the server or its clients to undertake
actions designated by the attacker as though they were authorized by
the user.</t>
]]
This text is meant to be the same as yours, but slightly more
conservative in its claims about what the attacker can actually do and
slightly more precise about which entity undertakes which actions.
Let me know if you have additional feedback.
Adam
More information about the cap-talk
mailing list