CSRF is not a security issue for the Web. A well-designed Web service should be capable of receiving requests directed by any host, by design, with appropriate authentication where needed. If browsers create a security issue because they allow scripts to automatically direct requests with stored security credentials onto third-party sites, without any user intervention/configuration, then the obvious fix is within the browser.
Sign in with 
OpenID
But then he'd probably argue that the whole web could 'simply' be implemented without cookies. The irony is that the inadequate authentication mechanisms defined by HTTP are the reason we turned to cookies for auth in the first place.
phl - 23rd January 2009 10:38 - #
It's not just cookies; browsers do the same for basic and digest access authentication , which they can according to the standard, http://tools.ietf.org/html/rfc2617:
"If a prior request has been authorized, the same credentials MAY be reused for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference."
I did wonder about CSRF via basic/digest when I posted that (too lazy to check, though).
So even without cookies or script, you could still do basic/digest-authed CSRF via frames or img tags? That would suggest the problem is inherent in HTTP/HTML, and not the fault of newfangled user agent trickery after all.
phl - 23rd January 2009 14:35 - #
phl, what's inadequate about Basic and Digest? Besides the terrible UI that browsers provide for them, I mean.
I think what Roy is saying is that if site B asks a browser to make a request to site A, the browser shouldn't send authentication data without asking the user.
Nah. I like it how it is. Using tokens we can allow external actions to immediately effect something in our web apps by passing the token to them, and without forcing the user to go through any AYS hoops. AYS probably wouldn't be sufficient anyway... people are conditioned to click "yes" when their browser throws an AYS at them.