- From: Doug Schepers <schepers@w3.org>
- Date: Sat, 24 Oct 2009 03:13:13 -0400
- To: public-webapps@w3.org
Hi, David-Sarah- David-Sarah Hopwood wrote (on 10/24/09 2:45 AM): > Doug Schepers wrote: >> I'm not at all a security expert, or even particularly well-informed on >> the topic, but it does occur to me that most of CORS' opponents seem >> very much in the capability-based security camp [1], and may distrust or >> dislike something more "authentication-based" like CORS. > > The reason for that is that the main issue here is CSRF attacks, which are > a special case of a class of vulnerabilities (confused deputy attacks) that > capability systems are known to prevent, but that other access control > systems are generally vulnerable to. So it is not surprising that proponents > of capability systems would be more likely to recognize the importance > of this issue. Fair enough. > Indeed the most common -- and arguably most effective -- defence against > CSRF is to use an unguessable token as an authenticator. That token is a > sparse capability, used in essentially the same way that a capability > system would use it. Is there an existing capability mechanism that would solve the use cases that CORS enables? If so, what is the rationale for CORS? If not, why not? Could CORS be combined with a capability system to make it more secure (and are you alluding to that, and I was too dense to connect the dots)? I'm not arguing for or against CORS here, just educating myself... sorry if I'm dragging down the dialog here. Regards- -Doug Schepers W3C Team Contact, SVG and WebApps WGs
Received on Saturday, 24 October 2009 07:13:18 UTC