On Tue, Mar 01, 2011 at 08:14:01AM +0000, Jeremy Henty wrote:
Benjamin Johnson wrote:
The default is not to allow automatic requests (such as redirects) unless they're from the same domain. Frankly I think this is a stupid default, because even though it's a little more secure, it also breaks most real world sites.
I agree. The default even breaks Google. No doubt the security concerns are real but we need a solution that is not so bad for usability. Does anyone know if other browsers take similar precautions, and what their algorithm is?
I think the security concern is real - see e.g. here: http://www.owasp.org/index.php/CSRF But I would be happy if someone would come up with some more sophisticated security measures that would allow us be more compatible with common websites by default. Maybe something as described in http://www.owasp.org/index.php/File:RequestRodeo-MartinJohns.pdf Not sure whether this is still state of the art, but it sounds at least reasonable. Cheers, Johannes