[jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)
Kito Mann
kito.mann at virtua.com
Tue Oct 26 15:48:32 EDT 2010
On Tue, Oct 26, 2010 at 2:41 PM, Andy Schwartz <andy.schwartz at oracle.com> wrote:
> Hey Kito -
>
> On 10/26/10 2:01 PM, Kito Mann wrote:
>>
>> On Mon, Oct 25, 2010 at 8:14 PM, Blake Sullivan
>> <blake.sullivan at oracle.com> wrote:
>>
>>>
>>> This leaves the ever popular GETs. I'm probably being lazy, but at this
>>> point I'm willing to punt on GETs because of potential problems with:
>>>
>>> 1) Worries about referer leakage if the secret is encoded in the URL
>>> 2) How to deal with bookmarking
>>> 3) General dislike for ugly URLs
>>>
>>> Admittedly, I think that 2) is the only one that really requires more
>>> thought, since I think that the solution to 1) is to a) Only worry about
>>> CSRF for pages served through a secure channel b) Require that pages
>>> served
>>> to authenticated users be served through a secure channel. For 3), I
>>> think
>>> it's gross but, that's just me :)
>>>
>>
>> I think leaving out support for GETs is a bad idea.
>
> I agree that we should support GETs. My concern isn't whether we should
> support this - but whether the currently proposed approach of enabling this
> on a global/application level is the right way to go. I think we need a
> finer grained solution.
Perhaps I missed it earlier in the thread, but why? And what would you propose?
-- Kito
More information about the jsr-314-open-mirror
mailing list