- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 14 Dec 2009 10:44:56 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Jonathan Rees <jar@creativecommons.org>, Maciej Stachowiak <mjs@apple.com>, "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 14, 2009 at 10:16 AM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees <jar@creativecommons.org> wrote: >> The only complaint I know of regarding UM is that it is so complicated >> to use in practice that it will not be as enabling as CORS > > Actually, Tyler's UM protocol requires the user to confirm message 5 > to prevent a CSRF attack. Maciej's CORS version of the protocol > requires no such user confirmation. I think it's safe to say that > asking the user to confirm security-critical operations is not a good > approach. For Ian Hickson's challenge problem, I came up with a design that does not require any confirmation, or any other user interaction. See: http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/1232.html That same design can be used to solve Maciej's challenge problem. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 14 December 2009 18:45:29 UTC