W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Semi-public resources in Uniform Messaging

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 10 Dec 2009 11:53:51 -0800
Message-ID: <5691356f0912101153m2ae7dadan654f33c8c11341a@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org
On Thu, Dec 10, 2009 at 10:17 AM, Ian Hickson <ian@hixie.ch> wrote:
> That looks _really_ complicated.

By many measures, your CORS based solution is more complicated.

1. It requires a login to Site A for every login to Site B, wheres the
UMP solution does not. That means the UMP solution has:
- fewer HTTP requests across the full lifetime of the interaction
- fewer user interactions across the full lifetime of the interaction

2. It creates a CSRF-like vulnerability. In an interaction with Site
C, Site B must be careful with how it handles the response to a GET
request done on at the direction of Site C. For the GET request, Site
C could provide the well-known URL for user feeds. A page from Site B
could then inadvertently expose this data to Site C because the code
wasn't written with the expectation that Site A might be involved. By
using UMP, this class of attacks on the page from Site B is

3. The CORS solution is not implementable for popular user agents
today. The XDR API does not support the kind of request the CORS
solution needs to make. The UMP solution can be implemented in a
cross-platform way today (the code needs browser specific
customizations for different constructor names and parameters, but it
can work).

The UMP spec may not be exactly what you had in mind; but I believe
I've shown that it meets all the requirements, is safer, and
represents a consensus amongst current deployments.


"Waterken News: Capability security on the Web"
Received on Thursday, 10 December 2009 19:54:24 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC