W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 12 May 2010 17:39:24 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <Pine.LNX.4.64.1005121734450.8532@ps20323.dreamhostps.com>
On Wed, 12 May 2010, Tyler Close wrote:
> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote:
> > On Tue, 11 May 2010, Tyler Close wrote:
> >>
> >> CORS introduces subtle but severe Confused Deputy vulnerabilities
> >
> > I don't think everyone is convinced that this is the case.
> 
> AFAICT, there is consensus that CORS has Confused Deputy 
> vulnerabilities. I can pull up email quotes from almost everyone 
> involved in the conversation.

There's clearly not complete consensus since at least I disagree.


> It is also not a question of opinion, but fact. CORS uses ambient 
> authority for access control in 3 party scenarios. CORS is therefore 
> vulnerable to Confused Deputy.

That's like saying that HTML uses markup and is therefore vulnerable to 
markup injection. It's a vast oversimplification and overstatement of the 
problem. It is quite possible to write perfectly safe n-party apps.


> > It is certainly possible to mis-use CORS in insecure ways, but then 
> > it's also possible to mis-use UMP in insecure ways. As far as I can 
> > tell, confused deputy vulnerabilities only occur with CORS if you use 
> > it in inappropriate ways, such as sharing identifiers amongst 
> > different origins without properly validating that they aren't 
> > spoofing each other.
> 
> In the general case, including many common cases, doing this validation 
> is not feasible.

That's nonsense. You have to make sure you don't rely on identifiers to 
confer authority, but that's just a matter of good design.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 12 May 2010 17:39:53 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT