OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cmis message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (CMIS-715) API for cross siterequest forgery defense


    [ http://tools.oasis-open.org/issues/browse/CMIS-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25073#action_25073 ] 

Scott Malabarba commented on CMIS-715:
--------------------------------------

I revised the proposal (V1) to properly reflect the use of JSONP throughout the binding.  Summary of changes:

- GET endpoints are vulnerable (via JSONP) and should be protected with a secret token.  
- The custom header is of limited use in the browser binding because legitimate clients relying on JSONP cannot send it.
- AtomPub and WS using HTTP GET are vulnerable and should be protected.  The custom header is a good, lightweight option for these bindings.
- The operation that returns the secret token cannot return JSON (otherwise a malicious client using JSONP could retrieve it).  Clients must use some
other method, such as a request proxy, to work around same-domain restrictions.


> API for cross site request forgery defense
> ------------------------------------------
>
>                 Key: CMIS-715
>                 URL: http://tools.oasis-open.org/issues/browse/CMIS-715
>             Project: OASIS Content Management Interoperability Services (CMIS) TC
>          Issue Type: New Feature
>          Components: Browser Binding
>    Affects Versions: Browser Binding Proposal
>            Reporter: Scott Malabarba
>            Assignee: Scott Malabarba
>             Fix For: Browser Binding Proposal
>
>
> We discussed this topic in the meeting on March 7.  By supporting a form post endpoint, the browser binding introduces potential vulnerability to cross-site request forgery attacks (http://en.wikipedia.org/wiki/Csrf).  We should provide for some common defenses in the browser binding API.  

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]