Re: UMP / CORS: Implementor Interest from Jonas Sicking on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 12 May 2010 11:17:57 -0700
To: Tyler Close <tyler.close@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <AANLkTinGbRt_OdpZF7UerUEl3FIcQFAI79HTsHTYYeKn@mail.gmail.com>

On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Tue, 11 May 2010, Tyler Close wrote:
>>>
>>> CORS introduces subtle but severe Confused Deputy vulnerabilities
>>
>> I don't think everyone is convinced that this is the case.
>
> AFAICT, there is consensus that CORS has Confused Deputy
> vulnerabilities. I can pull up email quotes from almost everyone
> involved in the conversation.
>
> It is also not a question of opinion, but fact. CORS uses ambient
> authority for access control in 3 party scenarios. CORS is therefore
> vulnerable to Confused Deputy.

First I should note that I have no idea what this argument is trying
to result in. Is this an attempt at preventing CORS from going to REC?
Or are we just rat holing old discussions?

That said, I feel like I don't want to let the above claim go
unanswered. Like Ian, I think you are oversimplifying the situation. I
would argue that UMP risks resulting in the same confused deputy
problems as CORS in the same complex scenarios where CORS risks
confused deputy problems.

With an UMP based web application it seems like a big risk that people
will create APIs like:

function fetchResource(uri, successCallback) {
  req = new UMPOrWhateverWellCallItRequest();
  uri += "&securityToken=" + gSecurityToken;
  req.open("GET", uri);
  req.send();
  req.onload = function() { successCallback(req.responseText) };
}

Such code risks suffering from the exact same confused deputy problems
as CORS. My concern with UMP is that it takes no responsibility for
the security model and instead puts all responsibility on web sites.
I'm not convinced this will result in increased security on the web,
just the ability for UAs to hide behind arguments like "it's not our
fault that the website has a bug".

I don't see why we couldn't just give websites the ability to use
either security model and stop wasting time reiterating old
discussions.

/ Jonas

Received on Wednesday, 12 May 2010 18:18:52 UTC