Request forgery/cross-protocol attacks #175
Comments
|
@martinthomson Would you like to provide some prose suggestions? |
|
A citation for Section 21.5 of QUIC might be a good way to avoid having to say anything too carefully. (I can't promise to get to this soon, but keep me assigned.) |
martinthomson
added a commit
to martinthomson/webtransport
that referenced
this issue
Oct 13, 2021
In looking into this text and the related specifications I decided that it would be better to address the risk of request forgery in the protocol specifications. Right now, they say nothing about this problem, but they really should. I'm going to open an issue. On the assumption that the protocol documents address this problem adequately, then this document doesn't need to concern itself with the problem. It is enough to remove any false claims and defer to the protocol spec. This contains a tweak to the adjacent text for the Origin field (w3c#368), but it doesn't fix that issue. Closes w3c#175.
This was referenced Oct 13, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current security considerations text implies that there are good defenses against cross-protocol attacks. QUIC isn't completely free from this style of attack. Some careful rewording might be needed.
The text was updated successfully, but these errors were encountered: