[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Updated: (CMIS-715) API for cross siterequest forgery defense
[ http://tools.oasis-open.org/issues/browse/CMIS-715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gregory Melahn updated CMIS-715: -------------------------------- Proposal: Proposal details: V0 http://www.oasis-open.org/committees/download.php/41394/cmis-csrf-proposal.doc. V1 http://www.oasis-open.org/committees/download.php/41612/cmis-csrf-proposal.doc Questions we discussed in the meeting: Do all PUT and POST endpoints, including the AtomPub binding, need to be protected? No -- as Florian put it, that is a theoretical risk. It applies only within web browser and browser-based apps are unlikely to use AtomPub when the browser binding is available. Do GET endpoints need to be protected? No, browser controls either prevent cross-site GET entirely or prevent JavaScript from inspecting the response. "JavaScript hijacking" attacks need more research -- they may be an exception to this rule. was: See proposal for details: http://www.oasis-open.org/committees/download.php/41394/cmis-csrf-proposal.doc. Questions we discussed in the meeting: Do all PUT and POST endpoints, including the AtomPub binding, need to be protected? No -- as Florian put it, that is a theoretical risk. It applies only within web browser and browser-based apps are unlikely to use AtomPub when the browser binding is available. Do GET endpoints need to be protected? No, browser controls either prevent cross-site GET entirely or prevent JavaScript from inspecting the response. "JavaScript hijacking" attacks need more research -- they may be an exception to this rule. Added link to document versions in proposal section > API for cross site request forgery defense > ------------------------------------------ > > Key: CMIS-715 > URL: http://tools.oasis-open.org/issues/browse/CMIS-715 > Project: OASIS Content Management Interoperability Services (CMIS) TC > Issue Type: New Feature > Components: Browser Binding > Affects Versions: Browser Binding Proposal > Reporter: Scott Malabarba > Assignee: Scott Malabarba > Fix For: Browser Binding Proposal > > > We discussed this topic in the meeting on March 7. By supporting a form post endpoint, the browser binding introduces potential vulnerability to cross-site request forgery attacks (http://en.wikipedia.org/wiki/Csrf). We should provide for some common defenses in the browser binding API. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]