W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: UMP / CORS: Implementor Interest

From: Dirk Pranke <dpranke@google.com>
Date: Thu, 13 May 2010 15:39:42 -0700
Message-ID: <w2r3726d1bf1005131539s336a0a69sa5c58ff4baa7d170@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Wed, May 12, 2010 at 10:02 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 12 May 2010, Tyler Close wrote:
>>
>> So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable
>> to buffer overflows and so CORS is not vulnerable to Confused Deputy.
>
> Correct.
>

As some (at least me) might be confused by what you're saying here,
are you saying that "C++ isn't vulnerable to buffer overflows, rather
*some programs* written in C++ are vulnerable to buffer overflows"?
And, hence, some usages of CORS aren't vulnerable to buffer overflows
and so you can say that CORS itself is not, either? Or are you saying
something stronger, and I'm still not following you?

Like MarkM, I perhaps am not understanding the "Web standards" manner
of using the word "vulnerable" and so it would be helpful if you could
elaborate.

To continue the analogy, there is an essential distinction between
C++'s vulnerability to buffer overflows and (Java, Python, ML, etc.)
total lack of vulnerability. To say that C++ is not subject to buffer
overflows but rather individual programs are at fault is to lose sight
of that essential distinction. Much as Tyler is attempting to
distinguish between APIs that use ambient authority (and hence, are
"vulnerable", even if some usages are safe) and APIs where that simply
cannot happen.

Regardless of the above, I agree 100% that it is more fruitful to
focus on actual examples so we can be completely clear about this ...

-- Dirk
Received on Thursday, 13 May 2010 22:40:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT