cmis-browser message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication
- From: Scott Malabarba <scott.malabarba@us.ibm.com>
- To: Florian Müller <florian.mueller@alfresco.com>
- Date: Thu, 9 Jun 2011 17:07:44 -0700
So the URL endpoint that generates the
message-handling JavaScript would not be protected.
We'd rely on the message handler itself
to validate the caller and determine if authentication is needed.
That seems OK, since the IFRAME contents
are inaccessible.
I booked it for Wednesday. Talk to you
then.
From:
Florian Müller <florian.mueller@alfresco.com>
To:
Scott Malabarba/Costa
Mesa/IBM@IBMUS
Cc:
cmis-browser@lists.oasis-open.org
Date:
06/09/2011 01:06 PM
Subject:
Re: [cmis-browser]
Browser Binding CSRF Defense and Authentication
Hi Scott,
Each message contains a handle to the source frame and the origin domain.
If this information is not sufficient to decide if it is a legitimate client,
the server has to ask for authentication (= send the login URL).
There is a good description of postMessage() here:
https://developer.mozilla.org/en/DOM/window.postMessage
Tuesday and Wednesday would work for me.
- Florian
----- Original Message -----
From: "Scott Malabarba" <scott.malabarba@us.ibm.com>
To: cmis-browser@lists.oasis-open.org
Sent: Thursday, June 9, 2011 5:52:13 PM GMT +00:00 GMT Britain, Ireland,
Portugal
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication
Looks promising. I need to read up on cross-domain use of IFRAMEs.
One question I have is: on step 1, the browser submits (into the IFRAME)
a request to the
server to which the server responds with a piece of JavaScript that can
handle the token message. How does
the server know that this request came from a legitimate client? Or, by
what criteria would the browser block
a malicious page from posting the URL into its own IFRAME?
Does next Tuesday or Wednesday 9AM PST work for a call?
Thanks,
Scott
From: Florian Müller <florian.mueller@alfresco.com>
To: cmis-browser@lists.oasis-open.org
Date: 06/09/2011 08:55 AM
Subject: [cmis-browser] Browser Binding CSRF Defense and Authentication
Hi all,
I finally have written up how the authentication process could work in
the browser binding [1].
Sorry for the delay!
Please find flaws. Seriously.
Maybe we should set up another call to discuss it.
Thanks,
Florian
[1] http://www.oasis-open.org/apps/org/workgroup/cmis-browser/download.php/42484/BrowserBindingCSRFDefense.docx
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]