- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 12 May 2010 00:15:46 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Tue, 11 May 2010, Tyler Close wrote: > > CORS introduces subtle but severe Confused Deputy vulnerabilities I don't think everyone is convinced that this is the case. It is certainly possible to mis-use CORS in insecure ways, but then it's also possible to mis-use UMP in insecure ways. As far as I can tell, confused deputy vulnerabilities only occur with CORS if you use it in inappropriate ways, such as sharing identifiers amongst different origins without properly validating that they aren't spoofing each other. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 12 May 2010 00:16:17 UTC