W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 22 Dec 2009 01:31:17 +0000 (UTC)
To: Kenton Varda <kenton@google.com>
Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0912220125551.15825@hixie.dreamhostps.com>
On Mon, 21 Dec 2009, Kenton Varda wrote:
>
> The problem is that the security it provides in those cases simply 
> doesn't exist unless you can ensure that no resource on *any* of your 
> allowed origins can be tricked into fetching your "protected" resource 
> for a third party. In practice this will be nearly impossible to ensure 
> except in the most simple cases.

The most simple cases are also the most common and are by far the cases I 
care the most about. The more complicated cases are authored by more 
competent authors, and can be more complicated (e.g. they don't have to 
use CORS).

I am not arguing that you can't screw up the use of CORS in complicated 
cases (though I think you can just as easily screw up the use of UM in 
complicated cases, and am not at all convinced that one is in practice 
better than the other). I am all in favour of providing authors of 
complicated cases APIs that follow the characteristics of UM (e.g. not 
letting the user agent handle user or site identification, but requiring 
that sites establish protocols to do so themselves).

But simple things should be simple to do. If we only give authors UM, and 
don't give them CORS, then we are making _everything_ complicated. That's 
a bad design for a platform that is to be used by as broad an authoring 
base as the Web's.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 22 December 2009 01:31:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT