OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cmis-browser message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication

Hi Scott,

Each message contains a handle to the source frame and the origin domain. If this information is not sufficient to decide if it is a legitimate client, the server has to ask for authentication (= send the login URL).

There is a good description of postMessage() here:
https://developer.mozilla.org/en/DOM/window.postMessage

Tuesday and Wednesday would work for me.


- Florian


----- Original Message -----
From: "Scott Malabarba" <scott.malabarba@us.ibm.com>
To: cmis-browser@lists.oasis-open.org
Sent: Thursday, June 9, 2011 5:52:13 PM GMT +00:00 GMT Britain, Ireland, Portugal
Subject: Re: [cmis-browser] Browser Binding CSRF Defense and Authentication

Looks promising. I need to read up on cross-domain use of IFRAMEs. 
One question I have is: on step 1, the browser submits (into the IFRAME) a request to the 
server to which the server responds with a piece of JavaScript that can handle the token message. How does 
the server know that this request came from a legitimate client? Or, by what criteria would the browser block 
a malicious page from posting the URL into its own IFRAME? 

Does next Tuesday or Wednesday 9AM PST work for a call? 

Thanks, 
Scott 




From: Florian Müller <florian.mueller@alfresco.com> 
To: cmis-browser@lists.oasis-open.org 
Date: 06/09/2011 08:55 AM 
Subject: [cmis-browser] Browser Binding CSRF Defense and Authentication 




Hi all, 

I finally have written up how the authentication process could work in the browser binding [1]. 
Sorry for the delay! 

Please find flaws. Seriously. 

Maybe we should set up another call to discuss it. 


Thanks, 

Florian 


[1] http://www.oasis-open.org/apps/org/workgroup/cmis-browser/download.php/42484/BrowserBindingCSRFDefense.docx 

--------------------------------------------------------------------- 
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail. Follow this link to all your TCs in OASIS at: 
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]