W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: David-Sarah Hopwood <david-sarah@jacaranda.org>
Date: Sat, 24 Oct 2009 07:45:46 +0100
Message-ID: <4AE2A29A.7080800@jacaranda.org>
To: public-webapps@w3.org
Doug Schepers wrote:
> I'm not at all a security expert, or even particularly well-informed on
> the topic, but it does occur to me that most of CORS' opponents seem
> very much in the capability-based security camp [1], and may distrust or
> dislike something more "authentication-based" like CORS.

The reason for that is that the main issue here is CSRF attacks, which are
a special case of a class of vulnerabilities (confused deputy attacks) that
capability systems are known to prevent, but that other access control
systems are generally vulnerable to. So it is not surprising that proponents
of capability systems would be more likely to recognize the importance
of this issue.

Indeed the most common -- and arguably most effective -- defence against
CSRF is to use an unguessable token as an authenticator. That token is a
sparse capability, used in essentially the same way that a capability
system would use it.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com
Received on Saturday, 24 October 2009 06:46:25 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT