W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: CORS versus Uniform Messaging?

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 12 Dec 2009 19:17:15 -0800
Message-ID: <7789133a0912121917r707e3195h5df4ee4d7c989871@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, "ext Mark S. Miller" <erights@google.com>, Tyler Close <tyler.close@gmail.com>, Ian Hickson <ian@hixie.ch>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Thu, Dec 10, 2009 at 12:04 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Thu, Dec 10, 2009 at 10:53 AM, Arthur Barstow <Art.Barstow@nokia.com> wrote:
>> Ideally, the group would agree on a single model and this could be achieved
>> by converging CORS + UM, abandoning one model in deference to the other,
>> etc.
>>
>> Can we all rally behind a single model?
>
> I'm not sure that we want to. My impression is that both models have
> their advantages and risks. They basically implement two different
> security design philosophies, and I'm not confident that there is a
> winner, or that we can correctly pick one.

I agree with Jonas.  It seems unlikely we'll be able to
design-by-commitee around a difference in security philosophy dating
back to the 70s.

> CORS seems easier in the simpler cases when no website acts as a
> deputy. UM seems less likely to cause confused deputy problems when a
> website acts as a deputy and receives urls from third parties (either
> by fetching them over the network, or by having third party code
> running in their domain using something like caja).

I also agree with Jonas on these points.  What might make the most
sense is to let the marketplace decide which model is most useful.
The most likely outcome (in my mind) is that they are optimized for
different use cases and will each find their own niche.

Adam
Received on Sunday, 13 December 2009 03:18:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT