Re: UMP / CORS: Implementor Interest from Tyler Close on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 May 2010 12:03:54 -0700
To: Jonas Sicking <jonas@sicking.cc>
Cc: Ojan Vafai <ojan@chromium.org>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
Message-ID: <AANLkTinqmMgz85Jrng1gWOlLq9CAJ6o_O5mV4I6TtU0j@mail.gmail.com>

On Wed, May 12, 2010 at 11:42 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Wed, May 12, 2010 at 11:35 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Wed, May 12, 2010 at 11:21 AM, Ojan Vafai <ojan@chromium.org> wrote:
>>> On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote:
>>>>
>>>> In the general case, including many common cases, doing this
>>>> validation is not feasible. The CORS specification should not be
>>>> allowed to proceed through standardization without providing
>>>> developers a robust solution to this problem.
>>>>
>>>> CORS is a new protocol and the WG has been made aware of the security
>>>> issue before applications have become widely dependent upon it. The WG
>>>> cannot responsibly proceed with CORS as is.
>>>
>>> Clearly there is a fundamental philosophical difference here. The end result
>>> is pretty clear:
>>> 1. Every implementor except Caja is implementing CORS and prefers a unified
>>> CORS/UMP spec.
>>
>> IE does not currently implement the disputed sections of CORS. I don't
>> know what their plans are. Without IE support, the disputed sections
>> of CORS are not a viable option for developers.
>
> Really? As far as I know IE sends the "Origin" header which as I
> understood it was a major source of the confused deputy problem and a
> big reason for drafting the UMP spec?

Yes, IE does implement one disputed feature. I'm just pointing out
that much of the disputed text is not widely deployed, despite claims
to the contrary.

>>> Realistically, UMP's only hope of actually getting wide adoption is if it's
>>> part of the CORS spec. Can you focus on improving CORS so that it addresses
>>> your concerns as much as realistically possible?
>>
>> UMP has had that effect on CORS and I'll continue to pursue this. I
>> also want to see the bad stuff removed.
>
> If so, I'd really like to see the chairs move forward with making the
> WG make some sort of formal decision on weather CORS should be
> published or not. Repeating the same discussion over and over is not
> good use your time or mine.

I certainly agree that this has consumed way more time than I would
like. I remain baffled that it's such a hard point to make. The
purpose of CORS is to enable 3 party scenarios. Use of ambient
authority in 3 party scenarios creates Confused Deputy
vulnerabilities. Even simple scenarios are vulnerable if one of the
parties is an attacker. I've shown how to use UMP instead for every
use case anyone has brought up. At this point, my only guess is that
I'm arguing against sunk cost.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 12 May 2010 19:04:26 UTC