cmis-browser message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication
- From: Scott Malabarba <scott.malabarba@us.ibm.com>
- To: cmis-browser@lists.oasis-open.org
- Date: Thu, 9 Jun 2011 09:52:13 -0700
Looks promising. I need to read up
on cross-domain use of IFRAMEs.
One question I have is: on step
1, the browser submits (into the IFRAME) a request to the
server to which the server responds
with a piece of JavaScript that can handle the token message. How
does
the server know that this request came
from a legitimate client? Or, by what criteria would the browser
block
a malicious page from posting the URL
into its own IFRAME?
Does next Tuesday or Wednesday 9AM PST
work for a call?
Thanks,
Scott
From:
Florian Müller <florian.mueller@alfresco.com>
To:
cmis-browser@lists.oasis-open.org
Date:
06/09/2011 08:55 AM
Subject:
[cmis-browser]
Browser Binding CSRF Defense and Authentication
Hi all,
I finally have written up how the authentication process could work in
the browser binding [1].
Sorry for the delay!
Please find flaws. Seriously.
Maybe we should set up another call to discuss it.
Thanks,
Florian
[1] http://www.oasis-open.org/apps/org/workgroup/cmis-browser/download.php/42484/BrowserBindingCSRFDefense.docx
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]