W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Dec 2009 17:35:50 -0800
Message-ID: <7789133a0912211735s4a0960dra84e97e78067397a@mail.gmail.com>
To: Kenton Varda <kenton@google.com>
Cc: Ian Hickson <ian@hixie.ch>, Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Mon, Dec 21, 2009 at 5:17 PM, Kenton Varda <kenton@google.com> wrote:
> The problem we're getting at is that CORS is being presented as a security
> mechanism, when in fact it does not provide security.  Yes, CORS is
> absolutely easier to use than UM in some cases -- I don't think anyone is
> going to dispute that.  The problem is that the security it provides in
> those cases simply doesn't exist unless you can ensure that no resource on
> *any* of your allowed origins can be tricked into fetching your "protected"
> resource for a third party.  In practice this will be nearly impossible to
> ensure except in the most simple cases.

Why isn't this a big problem today for normal XMLHttpRequest?  Normal
XMLHttpRequest is just like a CORS deployment in which every server
has a policy of allowing its own origin.

Adam
Received on Tuesday, 22 December 2009 01:36:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT