W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 May 2010 13:31:46 -0700
Message-ID: <AANLkTildT5PnP2X-2ip6p3gUJGYGwPhonaiWEB3UXh8-@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Devdatta <dev.akhawe@gmail.com>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>> While most of the discussion in this thread is just repeats of
>> previous discussions, I think Tyler makes a good (and new) point in
>> that the current CORS draft still has no mention of the possible
>> security problems that Tyler talks about. The current draft's security
>> section
>> http://dev.w3.org/2006/waf/access-control/#security
>> is ridiculous considering the amount of discussion that has taken
>> place on this issue on this mailing list.
>> Before going to rec, I believe Anne needs to substantially improve
>> this section - based on stuff from maybe Maciej's presentation - which
>> I found really informative. He could also cite UMP as a possible
>> option for those worried about security.
> I agree that the security section in CORS needs to be improved.
> As for the "should CORS exist" discussion, I'll bow out of those until
> we're starting to move towards officially adopting a WG decision one
> way or another, or genuinely new information is provided which would
> affect such a decision (for the record, I don't think I've seen any
> new information provided since last fall's TPAC).

A smart guy once told me that "You can't tell people anything",
meaning they have to experience it for themselves before they really
get it. Has Mozilla tried to build anything non-trivial using CORS
where cookies + Origin are the access control mechanism? If so, I'll
do a security review of it and we'll see what we learn.


"Waterken News: Capability security on the Web"
Received on Wednesday, 12 May 2010 20:32:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:24 UTC