W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 23 Oct 2009 22:00:56 -0700
Message-ID: <7789133a0910232200j5dd5b724ie528d80e6eb814bc@mail.gmail.com>
To: Doug Schepers <schepers@w3.org>
Cc: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers <schepers@w3.org> wrote:
> That's an interesting point... if the proponents or opponents of CORS did
> more testing and modeling, would that satisfy concerns?  Surely it couldn't
> be hard to set up a few common model architectures using CORS and announce
> them as targets for the white hat community?
>
> Mind you, I'm not stating one way or the other that this should be part of
> the exit criteria for CORS, just that it would be helpful overall, and
> frankly, if it hasn't been tried, I'm a little surprised... isn't this
> *exactly* the sort of thing Google, MS, the browser vendors, and the
> security community at large have the resources and expertise to do, as well
> as the incentive?  Can a brother get a honeypot?

This issues that Mark and co raise are not really the kinds of things
one can evaluate with a honeypot-type contest.  They're worried about
what web developers will build if we give them CORS as a tool.

Adam
Received on Saturday, 24 October 2009 05:01:49 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT