W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Doug Schepers <schepers@w3.org>
Date: Sat, 24 Oct 2009 01:34:13 -0400
Message-ID: <4AE291D5.6050304@w3.org>
To: Adam Barth <w3c@adambarth.com>
CC: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Hi, Adam-

Thanks for the reply.

Adam Barth wrote (on 10/24/09 1:00 AM):
> On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers<schepers@w3.org>  wrote:
>>  That's an interesting point... if the proponents or opponents of CORS did
>>  more testing and modeling, would that satisfy concerns?  Surely it couldn't
>>  be hard to set up a few common model architectures using CORS and announce
>>  them as targets for the white hat community?
>>  Mind you, I'm not stating one way or the other that this should be part of
>>  the exit criteria for CORS, just that it would be helpful overall, and
>>  frankly, if it hasn't been tried, I'm a little surprised... isn't this
>>  *exactly* the sort of thing Google, MS, the browser vendors, and the
>>  security community at large have the resources and expertise to do, as well
>>  as the incentive?  Can a brother get a honeypot?
> This issues that Mark and co raise are not really the kinds of things
> one can evaluate with a honeypot-type contest.  They're worried about
> what web developers will build if we give them CORS as a tool.

Sorry for being dense, but why couldn't the whitehats build toy systems 
on an open honeynet?

-Doug Schepers
W3C Team Contact, SVG and WebApps WGs
Received on Saturday, 24 October 2009 05:34:33 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC