Geeks With Blogs

Tangible Thoughts SharePoint, MOSS? and all the other questions

If you’ve seen my earlier posts on SharePoint Single Sign-On, you would remember that I showed some curiosity regarding the role of the Canary in SharePoint.

So here is Chris’s (the nice chap I mentioned in those posts) take on it.

The “canary” was implemented to thwart a variety of cross site scripting / single click attacks. Examples include receiving a mail with a link to a malicious web site that then tries to either redirect you to another page or otherwise use your identity to gain access that the hacker would not otherwise have. The canary is an encrypted set of data that allows us to validate that the user POSTing a given form has been to the site recently.

We don’t allow write operations in a GET for similar reasons. You can only read data during a GET.

So the next time you use a Form Digest in a WebPart or Custom Aspx page for SharePoint, you would realize why it’s needed.

Thanks very much for the info Chris.

Posted on Monday, October 18, 2004 11:39 AM SharePoint | Back to top

Comments on this post: Role of the Canary in SharePoint (Single Sign-On or otherwise)

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Tariq | Powered by: