W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 23 Dec 2009 15:05:01 +0100
To: "Kenton Varda" <kenton@google.com>, "Adam Barth" <w3c@adambarth.com>
Cc: "Ian Hickson" <ian@hixie.ch>, "Tyler Close" <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u5d9enp164w2qv@annevk-t60>
On Tue, 22 Dec 2009 02:48:42 +0100, Kenton Varda <kenton@google.com> wrote:
> It *is* a problem today with XMLHttpRequest.  This is, for example, one
> reason why we cannot host arbitrary HTML documents uploaded by users on
> google.com -- a rather large inconvenience!  If it were feasible, we'd be
> arguing for removing this ability from XMLHttpRequest.  However,  
> removing a feature that exists is generally not possible; better to  
> avoid adding it in the first place.

There are plenty of other features that already make that impossible.


> With CORS, the problems would be worse, because now you not only have to
> ensure that your own server is trust-worthy and free of CSRF, but also  
> the servers of everyone you allow to access your resource.  Problems are  
> likely to multiply exponentially.

Isn't this also true for the non-CORS solution? A secret token can be  
stolen as well.


I'm personally not really married to either approach, but it is still not  
clear to me how to me how can make us of UM to address the use cases CORS  
has. And for the cases where UM can replace it it appears to be much more  
complicated, which I do not think is a good sign if we expect authors to  
make mistakes.

I tried to clarify the use cases for CORS here (if more detail is needed  
please let me know):

   http://dev.w3.org/2006/waf/access-control/#use-cases

It would be nice to have sufficient detail on how each of these would work  
with UM so we can evaluate things better.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 23 December 2009 14:40:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT