OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Commented: (ODATA-262) Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)


    [ http://tools.oasis-open.org/issues/browse/ODATA-262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=32642#action_32642 ] 

Michael Pizzo commented on ODATA-262:
-------------------------------------

An alternative suggested by our web security folks is to first use basic auth to request a token (ex using OAuth2) that can then be used as a bearer token in requests to protected resources. This significantly reduces the exposure of the users credentials, and because bearer tokens are not subject to request forgery you can get out of the anti-CSRF business.

> Specify how OData services can be protected against cross-site request forgery (CSRF or XSRF)
> ---------------------------------------------------------------------------------------------
>
>                 Key: ODATA-262
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-262
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: New Feature
>          Components: OData Protocol 
>    Affects Versions: V4.0_WD01
>         Environment: [Proposed]
>            Reporter: Ralf Handl
>             Fix For: V4.0_WD01
>
>
> A good CSRF protection pattern is that the server issues a CSRF token that is communicated to the in a special header in responses to GET requests.
> This CSRF token must be included in a special header in subsequent modifying requests.
> To guarantee interoperability between different OData implementations the choreography, header names, and header formats must be standardized.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]