[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Commented: (ODATA-262) Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)
[ http://tools.oasis-open.org/issues/browse/ODATA-262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33618#action_33618 ]
Michael Pizzo commented on ODATA-262:
-------------------------------------
From our discussion in May 30 2013 spec, folks will follow up with security experts within their companies and be prepared to discuss at Face to Face in June. Consider publishing this as a committee note that could be maintained more dynamically than specification..
> Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)
> ---------------------------------------------------------------------------------------------
>
> Key: ODATA-262
> URL: http://tools.oasis-open.org/issues/browse/ODATA-262
> Project: OASIS Open Data Protocol (OData) TC
> Issue Type: New Feature
> Components: OData Protocol
> Affects Versions: V4.0_WD01
> Environment: [Proposed]
> Reporter: Ralf Handl
> Fix For: V4.0_WD01
>
>
> A good CSRF protection pattern is that the server issues a CSRF token that is communicated to the in a special header in responses to GET requests.
> This CSRF token must be included in a special header in subsequent modifying requests.
> To guarantee interoperability between different OData implementations the choreography, header names, and header formats must be standardized.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]