W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 May 2010 09:01:10 -0700
Message-ID: <AANLkTikwQ8C4TCk8zS9UXV3bJ0v9qZvJWOQNzRxsIS4L@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Tue, 11 May 2010, Tyler Close wrote:
>>
>> CORS introduces subtle but severe Confused Deputy vulnerabilities
>
> I don't think everyone is convinced that this is the case.

AFAICT, there is consensus that CORS has Confused Deputy
vulnerabilities. I can pull up email quotes from almost everyone
involved in the conversation.

It is also not a question of opinion, but fact. CORS uses ambient
authority for access control in 3 party scenarios. CORS is therefore
vulnerable to Confused Deputy.

> It is certainly
> possible to mis-use CORS in insecure ways, but then it's also possible to
> mis-use UMP in insecure ways. As far as I can tell, confused deputy
> vulnerabilities only occur with CORS if you use it in inappropriate ways,
> such as sharing identifiers amongst different origins without properly
> validating that they aren't spoofing each other.

In the general case, including many common cases, doing this
validation is not feasible. The CORS specification should not be
allowed to proceed through standardization without providing
developers a robust solution to this problem.

CORS is a new protocol and the WG has been made aware of the security
issue before applications have become widely dependent upon it. The WG
cannot responsibly proceed with CORS as is.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 12 May 2010 16:01:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT