W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Doug Schepers <schepers@w3.org>
Date: Sat, 24 Oct 2009 03:13:13 -0400
Message-ID: <4AE2A909.3070601@w3.org>
To: public-webapps@w3.org
Hi, David-Sarah-

David-Sarah Hopwood wrote (on 10/24/09 2:45 AM):
> Doug Schepers wrote:
>>  I'm not at all a security expert, or even particularly well-informed on
>>  the topic, but it does occur to me that most of CORS' opponents seem
>>  very much in the capability-based security camp [1], and may distrust or
>>  dislike something more "authentication-based" like CORS.
> The reason for that is that the main issue here is CSRF attacks, which are
> a special case of a class of vulnerabilities (confused deputy attacks) that
> capability systems are known to prevent, but that other access control
> systems are generally vulnerable to. So it is not surprising that proponents
> of capability systems would be more likely to recognize the importance
> of this issue.

Fair enough.

> Indeed the most common -- and arguably most effective -- defence against
> CSRF is to use an unguessable token as an authenticator. That token is a
> sparse capability, used in essentially the same way that a capability
> system would use it.

Is there an existing capability mechanism that would solve the use cases 
that CORS enables?  If so, what is the rationale for CORS?  If not, why 
not?  Could CORS be combined with a capability system to make it more 
secure (and are you alluding to that, and I was too dense to connect the 

I'm not arguing for or against CORS here, just educating myself... sorry 
if I'm dragging down the dialog here.

-Doug Schepers
W3C Team Contact, SVG and WebApps WGs
Received on Saturday, 24 October 2009 07:13:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC