The root cause of this issue comes from the
origins of the World Wide Web.
Back in the 1980s when he was working at the European research institute CERN,
Tim Berners-Lee envisioned the World Wide Web as a method for the retrieval of
formatted text and pictures, with the expressed goal of improving scientific and
engineering communication. The Web??™s basic functionality of information retrieval has
been expanded multiple times by the World Wide Web Consortium (W3C) and
other interested standards bodies, with additions such as the HTTP POST function,
JavaScript, and XMLHTTPRequest.
Although some thought has gone into the topic of requests that change application
state (such as transferring money at a bank site or changing a password), the warnings
such as the one from RFC 2616 (for HTTP) are often ignored. Even if such warnings are
followed, and a web developer restricts his or her application to accepting only state
changes via HTTP POST requests, a fundamental problem still exists: Actions performed
intentionally by a user cannot be distinguished from those performed automatically by the web
page she is viewing.
Cross-Domain Image Tags
Popularity: 7
Simplicity: 4
Impact: 9
Risk Rating: 8
Let??™s look at an example of how difficult it is to differentiate between an intentional user
action and an automatic cross-domain request.
Pages:
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164