W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 14 Dec 2009 10:44:56 -0800
Message-ID: <5691356f0912141044s6c191413hfef5639f0bfb5295@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 10:16 AM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees <jar@creativecommons.org> wrote:
>> The only complaint I know of regarding UM is that it is so complicated
>> to use in practice that it will not be as enabling as CORS
>
> Actually, Tyler's UM protocol requires the user to confirm message 5
> to prevent a CSRF attack.  Maciej's CORS version of the protocol
> requires no such user confirmation.  I think it's safe to say that
> asking the user to confirm security-critical operations is not a good
> approach.

For Ian Hickson's challenge problem, I came up with a design that does
not require any confirmation, or any other user interaction. See:

http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/1232.html

That same design can be used to solve Maciej's challenge problem.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 14 December 2009 18:45:29 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT