OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cmis-browser message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication

So the URL endpoint that generates the message-handling JavaScript would not be protected.
We'd rely on the message handler itself to validate the caller and determine if authentication is needed.  
That seems OK, since the IFRAME contents are inaccessible.

I booked it for Wednesday. Talk to you then.




From:        Florian Müller <florian.mueller@alfresco.com>
To:        Scott Malabarba/Costa Mesa/IBM@IBMUS
Cc:        cmis-browser@lists.oasis-open.org
Date:        06/09/2011 01:06 PM
Subject:        Re: [cmis-browser] Browser Binding CSRF Defense and Authentication



Hi Scott,

Each message contains a handle to the source frame and the origin domain. If this information is not sufficient to decide if it is a legitimate client, the server has to ask for authentication (= send the login URL).

There is a good description of postMessage() here:
https://developer.mozilla.org/en/DOM/window.postMessage

Tuesday and Wednesday would work for me.


- Florian


----- Original Message -----
From: "Scott Malabarba" <scott.malabarba@us.ibm.com>
To: cmis-browser@lists.oasis-open.org
Sent: Thursday, June 9, 2011 5:52:13 PM GMT +00:00 GMT Britain, Ireland, Portugal
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication

Looks promising. I need to read up on cross-domain use of IFRAMEs.
One question I have is: on step 1, the browser submits (into the IFRAME) a request to the
server to which the server responds with a piece of JavaScript that can handle the token message. How does
the server know that this request came from a legitimate client? Or, by what criteria would the browser block
a malicious page from posting the URL into its own IFRAME?

Does next Tuesday or Wednesday 9AM PST work for a call?

Thanks,
Scott




From: Florian Müller <florian.mueller@alfresco.com>
To: cmis-browser@lists.oasis-open.org
Date: 06/09/2011 08:55 AM
Subject: [cmis-browser] Browser Binding CSRF Defense and Authentication




Hi all,

I finally have written up how the authentication process could work in the browser binding [1].
Sorry for the delay!

Please find flaws. Seriously.

Maybe we should set up another call to discuss it.


Thanks,

Florian


[1] http://www.oasis-open.org/apps/org/workgroup/cmis-browser/download.php/42484/BrowserBindingCSRFDefense.docx

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]