W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 12 May 2010 16:45:31 -0700
Message-ID: <AANLkTik20JbFOKpBOSfMwIpTdoyPJZFHI7zzLMGIXLIZ@mail.gmail.com>
To: Dirk Pranke <dpranke@google.com>
Cc: Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Devdatta <dev.akhawe@gmail.com>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Wed, May 12, 2010 at 4:38 PM, Dirk Pranke <dpranke@google.com> wrote:
> On Wed, May 12, 2010 at 4:06 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Wed, May 12, 2010 at 3:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>> On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>> On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>>> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>>>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>>>>>>> While most of the discussion in this thread is just repeats of
>>>>>>> previous discussions, I think Tyler makes a good (and new) point in
>>>>>>> that the current CORS draft still has no mention of the possible
>>>>>>> security problems that Tyler talks about. The current draft's security
>>>>>>> section
>>>>>>>
>>>>>>> http://dev.w3.org/2006/waf/access-control/#security
>>>>>>>
>>>>>>> is ridiculous considering the amount of discussion that has taken
>>>>>>> place on this issue on this mailing list.
>>>>>>>
>>>>>>> Before going to rec, I believe Anne needs to substantially improve
>>>>>>> this section - based on stuff from maybe Maciej's presentation - which
>>>>>>> I found really informative. He could also cite UMP as a possible
>>>>>>> option for those worried about security.
>>>>>>
>>>>>> I agree that the security section in CORS needs to be improved.
>>>>>>
>>>>>> As for the "should CORS exist" discussion, I'll bow out of those until
>>>>>> we're starting to move towards officially adopting a WG decision one
>>>>>> way or another, or genuinely new information is provided which would
>>>>>> affect such a decision (for the record, I don't think I've seen any
>>>>>> new information provided since last fall's TPAC).
>>>>>
>>>>> A smart guy once told me that "You can't tell people anything",
>>>>> meaning they have to experience it for themselves before they really
>>>>> get it. Has Mozilla tried to build anything non-trivial using CORS
>>>>> where cookies + Origin are the access control mechanism? If so, I'll
>>>>> do a security review of it and we'll see what we learn.
>>>>
>>>> Not to my knowledge, no. I believe we use CORS for tinderboxpushlog
>>>> [1], however since that is only dealing with public data I don't
>>>> believe it uses cookies or Origin headers.
>>>
>>> Does anyone have something?
>>
>> At the risk of getting myself involved in this discussion again, you
>> might consider doing a security analysis of Facebook Chat.  Although
>> Facebook Chat uses postMessage, it uses both cookies and postMessage's
>> origin property for authentication, so it might be a system of the
>> kind you're interested in analyzing.
>>
>
> I think (although I'm not certain) that Tyler is asking partially to
> figure out where a non-anonymous CORS request is used in the real
> world. If he isn't, then I am :)
>
> Given that a major (but not the only) claim of the need to adopt CORS
> with support for cookies and the Origin header is that it is in fact
> already implemented and shipping, it would be good to see how it's
> being used. If we can't find any examples of it being used (in the
> non-anonymous case, at least), then the argument against us having to
> keep it would hold less water. If we can find it being used, then we
> can see both how we would handle the case with UMP, and whether or not
> the CORS usage is in fact secure.

Oh, I misunderstood.  I thought he wanted to do a security review to
show that there was a confused deputy causing problems.

Adam
Received on Wednesday, 12 May 2010 23:46:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT