W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 11 May 2010 13:02:45 -0700
Message-ID: <AANLkTim9z3toj6BxTQ-vPliAwnBkIfnYzxwgfUhzanpR@mail.gmail.com>
To: Arthur Barstow <Art.Barstow@nokia.com>
Cc: ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Tue, May 11, 2010 at 12:36 PM, Arthur Barstow <Art.Barstow@nokia.com> wrote:
> Jonas, Anne, Tlyer, All,
>
> On May 11, 2010, at 3:08 PM, ext Jonas Sicking wrote:
>
>> Personally I would prefer to see the "UMP model" be specced as part of
>> the CORS spec, mostly to avoid inevitable differences between two
>> specs trying to specify the same thing. And creating an authoring
>> guide specifically for the UMP security model to help authors that
>> want to just use UMP.
>
> Yes, I would also prefer that. Are there any technical reason(s) this can't
> be done?

CORS introduces subtle but severe Confused Deputy vulnerabilities
which should prevent it from being standardized. Some believe/hope
these vulnerabilities can be mitigated, but the suggested techniques
are not well explained yet, will be overly constraining and will not
work in many common cases. So far, the CORS document does not even
explain these problems, let alone offer convincing solutions.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Tuesday, 11 May 2010 20:03:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT