W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 12 May 2010 00:15:46 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <Pine.LNX.4.64.1005112228020.8532@ps20323.dreamhostps.com>
On Tue, 11 May 2010, Tyler Close wrote:
> CORS introduces subtle but severe Confused Deputy vulnerabilities

I don't think everyone is convinced that this is the case. It is certainly 
possible to mis-use CORS in insecure ways, but then it's also possible to 
mis-use UMP in insecure ways. As far as I can tell, confused deputy 
vulnerabilities only occur with CORS if you use it in inappropriate ways, 
such as sharing identifiers amongst different origins without properly 
validating that they aren't spoofing each other.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 12 May 2010 00:16:17 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:24 UTC