Bjoern Hoehrmann wrote:
> * Anne van Kesteren wrote:
>> You already said that. I'm not sure how you think
that helps.
>
> I think Thomas read you as saying it's good practise if
authors of web
> services that handle POST requests secure their service
against cross-
> site <form> submissions, but do not secure them
against cross-site XHR
> requests, whereas you were really saying, authors have
to do the former
> and might not currently do the latter, independent of
good practises.
>
> His point is that you really have to secure them
against both, whatever
> that may mean for a particular service, so there is no
difference from
> the perspective of the author's site. The relevance of
your distinction
> to the discussion is that one wants to minimize the
ways in which web
> browsers can be used to attack poorly secured web
services, and Thomas
> was asking to which degree this actually has security
benefits.
Why do you have to currently check for cross-site XHR POST
requests? I
would argue that you don't, and that there very likely are
servers out
there that don't. Thus, if we simply allowed cross-site XHR
POST
requests we'd make such servers vulnerable whereas they
didn't used to.
I agree that there very likely are servers out there that
are vulnerable
to cross site <form> POST requests. That is bad, but I
don't think that
is anything we can nor should do anything about here.
/ Jonas
|
hoehrmann.de ·