W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: widget example of CORS and UMP

From: Dirk Pranke <dpranke@chromium.org>
Date: Fri, 14 May 2010 12:46:08 -0700
Message-ID: <AANLkTim9eBYQbRAZ-kfqCCEQp1cyj6F8zIWD0cFmF5PH@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: Ojan Vafai <ojan@chromium.org>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Fri, May 14, 2010 at 12:27 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Fri, May 14, 2010 at 12:20 PM, Ojan Vafai <ojan@chromium.org> wrote:
>> On Fri, May 14, 2010 at 12:00 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>
>>> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke <dpranke@chromium.org>
>>> wrote:
>>> > You are correct that it is possible to use CORS unsafely. It is possible
>>> > to use
>>> > UMP unsafely,
>>>
>>> Again, that is broken logic. It is possible to write unsafe code in
>>> C++, but it is also possible to write unsafe code in Java, so there's
>>> no security difference between the two languages. Please, this
>>> illogical argument needs to die.
>>
>> This feels like a legal proceeding. Taken out of context, this sounds
>> illogical, in the context of the rest of the paragraph Dirk's point makes
>> perfect sense.
>
> My email included all of Dirk's text. I didn't remove it from context.
> I don't think it makes any sense, even in context.
>
>> In the same way that CORS has security problems, so does UMP.
>
> No, not in "the same way". The security issues are different in nature
> and severity. You can't just say there exist problems in both, so
> they're equivalent. That's not sensible.

Ojan said "in the same way", not me, and I did not say that they were
equivalent. I agree that the security issues are different in nature.
Your assessment of the relative severity of the two problems differs
from others' assessments.

At this point, I think this thread has run its course, unless there
are further specific criticisms against the example I gave.

I think the important takeaway is that as long as the two sites are
only running trusted code (i.e., no third party gadgets), CORS met the
intended use case securely. As soon as a third party was introduced,
the potential for confused deputies arose and life got a whole lot
more complicated.

-- Dirk
Received on Friday, 14 May 2010 19:47:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:38 GMT