W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

[cors] unaddressed security concerns

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 08 Oct 2009 18:16:17 +0200
To: "Mark S. Miller" <erights@google.com>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Jonas Sicking" <jonas@sicking.cc>, "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u1hotfbr64w2qv@anne-van-kesterens-macbook.local>
On Thu, 08 Oct 2009 18:07:29 +0200, Mark S. Miller <erights@google.com>  
wrote:
> The core criticism that several of us have raised about CORS has never
> been addressed -- that it creates further confused deputy problems.
> Rather than addressing the "first order" confused deputy problem of
> CSRF, it merely postpones it one level, creating second order confused
> deputy problems. See Tyler's example.

I'd appreciate a pointer.


>> I was wondering if the TAG considers this item closed or wishes to know
>> something more, in which case I'd like to hear about it! I'm trying to  
>> wrap
>> up email threads and this is one of them. Thanks!
>
> If the confused deputy problems created by CORS have already been
> addressed, I'd like to hear about that. Did I miss part of the thread?
>
>> PS: The remainder of this thread about redirects and CSRF is being taken
>> care of by updates to both CORS and the Origin header draft Adam is  
>> working
>> on. In short Origin will most likely become a space-separated list  
>> revealing
>> the entire request chain.
>
> Please go back and read "Origin isn't". The redirect problem Tyler
> pointed out was merely a symptom of a deeper problem. Tyler was able
> to identify this symptom because he does not regard the underlying
> problem as merely theoretical. The Origin list "solution" is curing
> the symptom only.

I'm not sure what you are referring to, but I thought all outstanding  
issues were dealt with to be honest. (Or ended in agreed to disagree.) If  
there are still problems it would help me if they were made more concrete.  
"confused deputy" does not help me much because I don't see the problem  
you are seeing.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 8 October 2009 16:17:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT