💾 Archived View for rawtext.club › ~sloum › geminilist › 006928.gmi captured on 2021-12-05 at 23:47:19. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-11-30)
-=-=-=-=-=-=-
Oliver Simmons oliversimmo at gmail.com
Fri Jul 16 11:45:43 BST 2021
- - - - - - - - - - - - - - - - - - -
On Fri, 16 Jul 2021 at 09:55, nervuri <nervuri at disroot.org> wrote:
Before following a URI which is in scope of a client certificate from
a URI outside of that scope, clients MUST/SHOULD display the target
URI and what client certificate would be used to connect to it.
Doing this will help protect against Cross-Site Request Forgery
(CSRF). It applies to:
* following a link on a page
* going through one or more redirects
How about the following?
"A client MUST NOT make a request to a URI in the scope of a clientcertificate outside the current scope, unless the user explicitlyallows the request. The client SHOULD present the full target URI tothe user."
This solves some of the issues with 'display' and makes the part aboutuser control more clear IMO.
Maybe it would be good to mention it's ok to make the request withoutthe client cert?
---Oliver Simmons (GoodClover)