- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sat, 09 Jan 2010 10:01:08 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Jan 9, 2010, at 7:23 AM, Tyler Close wrote: > > If the response can be parsed as ECMAScript, an attacker can break > confidentiality by loading the document using a <script> tag. I don't think this is a valid argument for potentially breaking confidentiality for content that is not parseable as ECMAScript. Browsers consider it a security hole when client-side script can access HTML or XML cross-domain in the same way as JavaScript or CSS. > Also, for any media-type, the attacker can mount a clickjacking attack > against this design. Since in general this design cannot be made safe, > I think it's better to not support it at all in the security model, by > allowing a uniform request to follow a non-uniform redirect. It used to be that UMP was a subset of CORS (in the sense that some request headers and some processing of allowed responses is removed, but otherwise the model is the same). This feature moves us away from that. We've also had a proposal for XHR2 to support UMP or a UMP-like mode before, but now it seems like the intent is to provide a completely separate UniformRequest API. I am concerned that this area of work, which started out with the potential to integrate nicely with existing specs, is becoming a parallel universe. > A security model that works for some media-types but not others is > just > too bizarre to explain to developers. This choice doesn't endanger > existing resources, since CORS also allows a cross-origin request to > follow a redirect that has not opted out of the Same Origin Policy. Maybe I'm misreading CORS, but that doesn't seem to be the case. Note step 4 here: http://www.w3.org/TR/access-control/#redirect-steps Regards, Maciej
Received on Saturday, 9 January 2010 18:01:42 UTC