W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Kris Zyp <kris@sitepen.com>
Date: Wed, 12 May 2010 12:02:39 -0600
Message-ID: <4BEAED3F.5070802@sitepen.com>
To: Ian Hickson <ian@hixie.ch>
CC: Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 


On 5/12/2010 11:39 AM, Ian Hickson wrote:
> On Wed, 12 May 2010, Tyler Close wrote:
>> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote:
>>> On Tue, 11 May 2010, Tyler Close wrote:
>>>>
>>>> CORS introduces subtle but severe Confused Deputy vulnerabilities
>>>
>>> I don't think everyone is convinced that this is the case.
>>
>> AFAICT, there is consensus that CORS has Confused Deputy
>> vulnerabilities. I can pull up email quotes from almost everyone
>> involved in the conversation.
>
> There's clearly not complete consensus since at least I disagree.
>
>
FWIW, I also disagree that CORS creates inappropriate unconfused
deputy vulnerabilities. CORS provides a totally sufficient pathway for
secure use.

>> It is also not a question of opinion, but fact. CORS uses ambient
>> authority for access control in 3 party scenarios. CORS is therefore
>> vulnerable to Confused Deputy.
>
> That's like saying that HTML uses markup and is therefore vulnerable to
> markup injection. It's a vast oversimplification and overstatement of the
> problem. It is quite possible to write perfectly safe n-party apps.

Adding to this, saying that CORS uses ambient authority doesn't make
sense, CORS itself can't assign authority, owners of resources assign
authority. Any reasonable usage of CORS by resource owners would not
rely on interpreting headers in a way that assigns ambient authority.

- -- 
Kris Zyp
SitePen
(503) 806-1841
http://sitepen.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAkvq7T4ACgkQ9VpNnHc4zAzPBgCdF5LmRSQ0dJDXUD1D1zbwSpFB
p8EAoKAdayHrhHUc11Y4DUtLatxGjwO3
=NBOT
-----END PGP SIGNATURE-----
Received on Wednesday, 12 May 2010 18:04:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT