W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 05 Nov 2009 22:05:53 -0800
Cc: public-webapps <public-webapps@w3.org>
Message-id: <4BF96386-FB49-4027-AAA7-31EB82C913F7@apple.com>
To: Devdatta <dev.akhawe@gmail.com>

On Nov 5, 2009, at 6:04 PM, Devdatta wrote:

> Hi Maciej,
>> Read <from>
>>  If the <from> resource is owned by the domain specified by Origin,  
>> return
>> the data.
> .....
>> CrossDomainCopy <from-domain> <from-resource> <read-token> <to- 
>> domain>
>> <to-resource> <write-token>
> I don't understand the aim of the whole protocol you have outlined  
> above.

I'm sorry, I outlined it in a pretty sketchy way because I was writing  
in a hurry and had other things to get to.
> Are you saying CORS should be rewritten to directly support such a  
> design ?

No - there are no changes to CORS needed to support it.

> or Is this a design pattern you are recommending (for use with CORS) ?

This is a possible design when building applications that do cross- 
site networking, and in particular ones that may involve delegated  
requests or requests combining information from multiple sites.

> If the latter, do you honestly expect web developers to read and
> understand all that ?

The complexity in my proposed protocol is not related to CORS - you'd  
face the same complexity or greater doing a purely token-based  
protocol over something like GuestXHR. And you can use a much simpler  
approach with CORS if you are only doing simpler two-party interactions.

> Or have I missed the point completely ?

I wouldn't put it that way. I wrote something without a simple  
explanation assuming readers would have context and I guess it  
confused you, which is my fault. Sorry!

  - Maciej
Received on Friday, 6 November 2009 06:06:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC