Re: [cmis-browser] CSRF discussion

[Scott Malabarba <scott.malabarba@us.ibm.com>]

Good idea.  I scheduled a call for
tomorrow, 9AM PST -- hope that works for you.  If not, any day next
week.


I've mostly come around to your way
of thinking on this.  There isn't any safe way for the server to pass
a secret token
to the client, outside the context of
some kind of authenticate() call like you proposed earlier.

If I understand CORS correctly, server
developers or administrators could use it to secure their servers as an
alternative
to requiring the separate authenticate()
call, at the cost of reduced browser compatibility.  This wouldn't
have to be part
of the API, though it could be mentioned
in the spec as something like "The server SHOULD enable CORS filtering..."

We might be able to do something with
cookies.  And I've got a couple of other less promising ideas.

Regards,
Scott





From:      
 Florian Müller <florian.mueller@alfresco.com>
To:      
 cmis-browser@lists.oasis-open.org
Date:      
 05/12/2011 08:15 AM
Subject:    
   [cmis-browser]
CSRF discussion

---

Hi all,

Can we restart the CSRF discussion before the face-to-face meeting?

I would like to conclude this topic as soon as possible - maybe at the
meeting or soon after.
I haven't continued the OpenCMIS implemenation because of this...


Cheers,

Florian

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php