W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 16 Nov 2009 10:09:27 -0800
Message-ID: <5691356f0911161009i1e7d961cgc3a5b31ef88ce552@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Thu, Nov 5, 2009 at 9:59 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> Hi Tyler,
>
> On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:
>
>> Closing remark:
>>
>> In another thread, you've written "I do think that a way to do an
>> anonymous XHR is justified", so I don't know how much sense it makes
>> to continue this thread. You put so much effort into this email that I
>> felt I owed you a response.
>
> Let me make sure I understand your position and overall goal in this
> discussion. Is it:
>
> A) An API to do anonymous XHR (such as GuestXHR) should be provided *AND*
> CORS should be abandoned (and perhaps removed from implementations shipping
> it.
>
> OR:
>
> B) An API to do anonymous XHR (such as GuestXHR) should be added, but you
> can live with CORS continuing to exist.
>
>
> I thought your position was (A). If it is in fact (B), then perhaps we have
> all invested more energy than necessary in this debate, because I don't
> think (B) is especially controversial. But if your position is (A), then the
> statement you quoted wasn't meant to agree with that position (in case it
> wasn't clear).

MarkM and I have been arguing for position (A), and will continue to
do so, but getting an agreement on (B) is valuable. When I saw your
agreement to (B), I wanted to make sure that didn't get lost in the
noise around the debate of (A). To further assist this, MarkM and I
are currently working on a fully formed specification for GuestXHR.
I'm tempted to push on that and pause the debate on (A) until we have
WG consensus on this new spec. With the good tool in place, arguing to
drop the bad one carries less risk.

> That being said, I feel the input from you and Mark and the ensuing
> discussion has helped the Working Group get a better understanding of the
> security issues in this area, and I believe it will help us make a
> high-quality Security Considerations section. So if you have further replies
> in mind that would help inform the conversation, then please feel encouraged
> to send them.

I'm glad you've found this discussion worthwhile and thank you for
saying so. I think the slide set you put together was also a great
help to the discussion. We do have further analysis we'd like to
contribute on (A) and DBAD, but for at least the short term, I'd like
to focus on getting GuestXHR in place. Expect a first draft of that
this week...

Thanks,
--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 16 November 2009 18:10:07 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT