[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication
Hi Scott, Each message contains a handle to the source frame and the origin domain. If this information is not sufficient to decide if it is a legitimate client, the server has to ask for authentication (= send the login URL). There is a good description of postMessage() here: https://developer.mozilla.org/en/DOM/window.postMessage Tuesday and Wednesday would work for me. - Florian ----- Original Message ----- From: "Scott Malabarba" <scott.malabarba@us.ibm.com> To: cmis-browser@lists.oasis-open.org Sent: Thursday, June 9, 2011 5:52:13 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication Looks promising. I need to read up on cross-domain use of IFRAMEs. One question I have is: on step 1, the browser submits (into the IFRAME) a request to the server to which the server responds with a piece of JavaScript that can handle the token message. How does the server know that this request came from a legitimate client? Or, by what criteria would the browser block a malicious page from posting the URL into its own IFRAME? Does next Tuesday or Wednesday 9AM PST work for a call? Thanks, Scott From: Florian Müller <florian.mueller@alfresco.com> To: cmis-browser@lists.oasis-open.org Date: 06/09/2011 08:55 AM Subject: [cmis-browser] Browser Binding CSRF Defense and Authentication Hi all, I finally have written up how the authentication process could work in the browser binding [1]. Sorry for the delay! Please find flaws. Seriously. Maybe we should set up another call to discuss it. Thanks, Florian [1] http://www.oasis-open.org/apps/org/workgroup/cmis-browser/download.php/42484/BrowserBindingCSRFDefense.docx --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]