Timeline for Do WebSocket-powered web apps (e.g. "comet" apps) have to worry about CSRF?
Current License: CC BY-SA 3.0
10 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 7, 2021 at 7:18 | history | edited | CommunityBot | replaced http://tools.ietf.org/html/draft with https://datatracker.ietf.org/doc/html/draft | |
| Oct 7, 2021 at 6:58 | history | edited | CommunityBot | replaced http://tools.ietf.org/html/rfc with https://www.rfc-editor.org/rfc/rfc | |
| Feb 1, 2017 at 14:47 | comment | added | Daniel C | @Adi: "WebSockets do follow the RFC6454 (The Web Origin Concept)." --- Not all clients have to add the origin header: "The request MUST include a header field with the name |Origin| [RFC6454] if the request is coming from a browser client." | |
| May 18, 2013 at 19:25 | comment | added | mgibsonbr | @Adnan new attempt... you're right that the previous answer was uninformed, and I really appreciate the feedback, but I disagree it had nothing to do with CSRF: I was simply breaking down the elements that allow such attacks to take place (something I made more explicit after this edit) and commenting on how much each of them applied to WebSockets. And the "speculations" were simply more questions that - while I didn't/don't have a definite answer to them - I judged important in evaluating whether or not the assumptions we make about the browser behavior are correct. | |
| May 18, 2013 at 19:17 | history | undeleted | mgibsonbr | ||
| May 18, 2013 at 19:16 | history | edited | mgibsonbr | CC BY-SA 3.0 | added 1395 characters in body |
| May 18, 2013 at 16:37 | history | deleted | mgibsonbr | ||
| May 18, 2013 at 16:36 | comment | added | mgibsonbr | @Adnan ok, thanks for the info, I'll read more about the RFC6454. But in face of this, I guess this answer is unsalvageable, so I'm deleting it... | |
| May 18, 2013 at 16:12 | comment | added | Adi | -1 This answer is completely misleading and uninformed, and the parts that tries to be helpful are mere speculations. WebSockets do follow the RFC6454 (The Web Origin Concept). The RFC6455 explains how cookies should be used and how the user agent should transport these cookies. Finally, the whole answer has nothing to do with CSRF. | |
| May 18, 2013 at 15:55 | history | answered | mgibsonbr | CC BY-SA 3.0 |