- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 12 May 2010 16:45:31 -0700
- To: Dirk Pranke <dpranke@google.com>
- Cc: Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Devdatta <dev.akhawe@gmail.com>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Wed, May 12, 2010 at 4:38 PM, Dirk Pranke <dpranke@google.com> wrote: > On Wed, May 12, 2010 at 4:06 PM, Adam Barth <w3c@adambarth.com> wrote: >> On Wed, May 12, 2010 at 3:16 PM, Tyler Close <tyler.close@gmail.com> wrote: >>> On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <jonas@sicking.cc> wrote: >>>> On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote: >>>>> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote: >>>>>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote: >>>>>>> While most of the discussion in this thread is just repeats of >>>>>>> previous discussions, I think Tyler makes a good (and new) point in >>>>>>> that the current CORS draft still has no mention of the possible >>>>>>> security problems that Tyler talks about. The current draft's security >>>>>>> section >>>>>>> >>>>>>> http://dev.w3.org/2006/waf/access-control/#security >>>>>>> >>>>>>> is ridiculous considering the amount of discussion that has taken >>>>>>> place on this issue on this mailing list. >>>>>>> >>>>>>> Before going to rec, I believe Anne needs to substantially improve >>>>>>> this section - based on stuff from maybe Maciej's presentation - which >>>>>>> I found really informative. He could also cite UMP as a possible >>>>>>> option for those worried about security. >>>>>> >>>>>> I agree that the security section in CORS needs to be improved. >>>>>> >>>>>> As for the "should CORS exist" discussion, I'll bow out of those until >>>>>> we're starting to move towards officially adopting a WG decision one >>>>>> way or another, or genuinely new information is provided which would >>>>>> affect such a decision (for the record, I don't think I've seen any >>>>>> new information provided since last fall's TPAC). >>>>> >>>>> A smart guy once told me that "You can't tell people anything", >>>>> meaning they have to experience it for themselves before they really >>>>> get it. Has Mozilla tried to build anything non-trivial using CORS >>>>> where cookies + Origin are the access control mechanism? If so, I'll >>>>> do a security review of it and we'll see what we learn. >>>> >>>> Not to my knowledge, no. I believe we use CORS for tinderboxpushlog >>>> [1], however since that is only dealing with public data I don't >>>> believe it uses cookies or Origin headers. >>> >>> Does anyone have something? >> >> At the risk of getting myself involved in this discussion again, you >> might consider doing a security analysis of Facebook Chat. Although >> Facebook Chat uses postMessage, it uses both cookies and postMessage's >> origin property for authentication, so it might be a system of the >> kind you're interested in analyzing. >> > > I think (although I'm not certain) that Tyler is asking partially to > figure out where a non-anonymous CORS request is used in the real > world. If he isn't, then I am :) > > Given that a major (but not the only) claim of the need to adopt CORS > with support for cookies and the Origin header is that it is in fact > already implemented and shipping, it would be good to see how it's > being used. If we can't find any examples of it being used (in the > non-anonymous case, at least), then the argument against us having to > keep it would hold less water. If we can find it being used, then we > can see both how we would handle the case with UMP, and whether or not > the CORS usage is in fact secure. Oh, I misunderstood. I thought he wanted to do a security review to show that there was a confused deputy causing problems. Adam
Received on Wednesday, 12 May 2010 23:46:23 UTC