cmis-browser message

Subject: Invitation: CMIS browser binding CSRF discussion (May 18 09:00 AM PDT in888-426-6840, pc 7926194)

From: Scott Malabarba <scott.malabarba@us.ibm.com>
To: cmis-browser@lists.oasis-open.org
Date: Tue, 17 May 2011 09:01:41 -0700

BEGIN:VCALENDAR
X-LOTUS-CHARSET:UTF-8
VERSION:2.0
PRODID:-//Lotus Development Corporation//NONSGML Notes 8.5.1//EN_S
METHOD:REQUEST
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
BEGIN:STANDARD
DTSTART:19501105T020000
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
RRULE:FREQ=YEARLY;BYMINUTE=0;BYHOUR=2;BYDAY=1SU;BYMONTH=11
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:19500312T020000
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
RRULE:FREQ=YEARLY;BYMINUTE=0;BYHOUR=2;BYDAY=2SU;BYMONTH=3
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID="America/Los_Angeles":20110518T090000
DTEND;TZID="America/Los_Angeles":20110518T100000
TRANSP:OPAQUE
DTSTAMP:20110517T160141Z
SEQUENCE:0
ATTENDEE;ROLE=CHAIR;PARTSTAT=ACCEPTED
 ;CN="Scott Malabarba/Costa Mesa/IBM";RSVP=FALSE
 :mailto:scott.malabarba@us.ibm.com
ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=TRUE
 :mailto:cmis-browser@lists.oasis-open.org
CLASS:PUBLIC
DESCRIPTION;ALTREP="CID:<FFFF__=07BBF200DFC54C1A8f9e8a93df938@us.ibm.com>":C
 ontinuation of CSRF discussion.\n\nTwo questions to start with
 :\n- CORS can be applied by server administrators for added security w
 ithout any provision in the CMIS API -- correct?\n- With the addition 
 of double-submit cookies\, can a server securely pass a secret token t
 o the client?\n\nhttp://tools.oasis-open.org/issues/browse/CMIS-715
SUMMARY:CMIS browser binding CSRF discussion
LOCATION:888-426-6840\, pc 7926194\n\nUSA Toll-Free
 :  888-426-6840 \nUSA Caller Paid
 :  215-861-6239 \nFor Other Countries:  https
 ://www.teleconference.att.com/servlet/glbAccess?process=1&accessCode=7
 926194&accessNumber=2158616239\n\nTieline
 :   650-6840 (in USA use the toll-free number)\nITN
 :   2650-6840\n\nParticipant Code
 :  7926194\n\nWeb conference\, if applicable:  https
 ://lli.ibm.com/meeting/join/?schedid=3955133
ORGANIZER;CN="Scott Malabarba/Costa Mesa/IBM"
 :mailto:scott.malabarba@us.ibm.com
UID:B2629CB282D14640882578930056CA8A-Lotus_Notes_Generated
X-LOTUS-BROADCAST:FALSE
X-LOTUS-UPDATE-SEQ:1
X-LOTUS-UPDATE-WISL:$S:1;$L:1;$B:1;$R:1;$E:1;$W:1;$O:1;$M:1
X-LOTUS-NOTESVERSION:2
X-LOTUS-NOTICETYPE:I
X-LOTUS-APPTTYPE:3
X-LOTUS-CHILD_UID:B2629CB282D14640882578930056CA8A
END:VEVENT
END:VCALENDAR

Continuation of CSRF discussion.

Two questions to start with:
- CORS can be applied by server administrators for added security without any provision in the CMIS API -- correct?
- With the addition of double-submit cookies, can a server securely pass a secret token to the client?

http://tools.oasis-open.org/issues/browse/CMIS-715

c100201.ics