W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Oct 2009 10:03:16 -0700
Message-ID: <7789133a0910241003g7a5803efw316604abec055b3a@mail.gmail.com>
To: Doug Schepers <schepers@w3.org>
Cc: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Fri, Oct 23, 2009 at 10:34 PM, Doug Schepers <schepers@w3.org> wrote:
> Sorry for being dense, but why couldn't the whitehats build toy systems on
> an open honeynet?

They could, but what would we learn from such an experiment?  If they
build only secure systems, then we'd learn that security experts can
build secure systems, which is somewhat unsurprising.  If they build
insecure systems, then we'd learn that it is possible to build
insecure systems, which we know already.

The real question hinges around what sorts of systems real developers
will build given CORS as a tool and whether we can prod them into
building more secure systems by changing the API.  There isn't really
a way for us to answer that question in our ivory tower because it
revolves around who writes blog posts about what, and how good the
sample code is that people start copying and pasting.

I suspect we could do much more for the security of the web by writing
up good tutorials and example code for using CORS than we could by
tweaking various parts of the specification at this point.

Adam
Received on Saturday, 24 October 2009 17:04:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT