W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Arthur Barstow <Art.Barstow@nokia.com>
Date: Tue, 13 Oct 2009 07:14:01 -0400
Message-Id: <2F912AA0-144D-4BA2-BF75-05DFEF58F95B@nokia.com>
Cc: Henry Thompson <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, public-webapps <public-webapps@w3.org>
To: ext Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, "Mark S. Miller" <erights@google.com>
On Oct 13, 2009, at 1:49 AM, ext Adam Barth wrote:

>> If this is not access control, I must ask: what do you mean by  
>> "access control"?
>
> I'm not sure the abstract question of whether CORS is an access
> control system is that meaningful.  We should concentrate on the
> following questions:
>
> 1) Does CORS introduce security vulnerabilities into legacy servers
> that are unaware of the CORS protocol?
> 2) How well does CORS support the simple use cases of cross-origin
> resource sharing?
> 3) Does CORS prevent sophisticated developers from implementing
> advanced uses cases?
>
> Do you find CORS problematic for any of the above questions?  Do you
> think we should be concerned with other questions?

Agree these are the right questions. Thanks Adam.

I noticed "access control" doesn't even occur in the spec any more  
except for the document's shortname of "access-control" and we may  
change that name when the doc is next published.

-Regards, Art Barstow
Received on Tuesday, 13 October 2009 11:15:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT