W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: widget example of CORS and UMP

From: Ojan Vafai <ojan@chromium.org>
Date: Fri, 14 May 2010 12:20:37 -0700
Message-ID: <AANLkTilM8NOQgsHHsULV7yJd-Gg5LwzSDNvT1i_hQnQe@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Dirk Pranke <dpranke@chromium.org>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Fri, May 14, 2010 at 12:00 PM, Tyler Close <tyler.close@gmail.com> wrote:

> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke <dpranke@chromium.org>
> wrote:
> > You are correct that it is possible to use CORS unsafely. It is possible
> to use
> > UMP unsafely,
>
> Again, that is broken logic. It is possible to write unsafe code in
> C++, but it is also possible to write unsafe code in Java, so there's
> no security difference between the two languages. Please, this
> illogical argument needs to die.


This feels like a legal proceeding. Taken out of context, this sounds
illogical, in the context of the rest of the paragraph Dirk's point makes
perfect sense. In the same way that CORS has security problems, so does UMP.

For example, I don't understand how UMP can ever work with GET requests.
Specifically, how do you deal with users sharing URLs with malicious
parties? Or is that not considered a problem?

Ojan
Received on Friday, 14 May 2010 19:21:26 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT