W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: [UMP] Request for Last Call

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 19 Apr 2010 11:38:47 -0700
Message-ID: <o2k5691356f1004191138u109889c8w1830810f2e1e9ea2@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: marcosc@opera.com, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak <mjs@apple.com> wrote:
On Thu, Apr 8, 2010 at 5:40 AM, Tyler Close <tyler.close@gmail.com> wrote:
> I think there is a burden on CORS to explain the
> "Don't Be A Deputy" (DBAD) policy you've claimed enables developers to
> safely use CORS. If this policy is fully explained to developers, I
> believe its restrictions will seem onerous and error prone. If this
> policy is not successfully communicated to developers, CORS creates a
> subtle and dangerous security trap of a kind we've seen developers
> fall victim to already with CSRF attacks.

I have yet to receive a response to the above and think it should be
an explicit requirement for resolving ISSUE-108
<http://www.w3.org/2008/webapps/track/issues/108>. Hopefully the
tracker will catch and track this email.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 19 April 2010 18:39:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT