[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Commented: (CMIS-715) API for cross siterequest forgery defense
[ http://tools.oasis-open.org/issues/browse/CMIS-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25577#action_25577 ]
Scott Malabarba commented on CMIS-715:
--------------------------------------
We'll meet again soon to try to close out the issue. As of the last call:
- We can simplify things by leaving out the custom header, since it's of little use in a JSONP system
- We cannot use any sort of GET call to return a secret token to the client
I'll update the proposal document once we agree on a solution.
> API for cross site request forgery defense
> ------------------------------------------
>
> Key: CMIS-715
> URL: http://tools.oasis-open.org/issues/browse/CMIS-715
> Project: OASIS Content Management Interoperability Services (CMIS) TC
> Issue Type: New Feature
> Components: Browser Binding
> Affects Versions: Browser Binding Proposal
> Reporter: Scott Malabarba
> Assignee: Scott Malabarba
> Fix For: Browser Binding Proposal
>
>
> We discussed this topic in the meeting on March 7. By supporting a form post endpoint, the browser binding introduces potential vulnerability to cross-site request forgery attacks (http://en.wikipedia.org/wiki/Csrf). We should provide for some common defenses in the browser binding API.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]