W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Feedback on UMP from a quick read

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 9 Jan 2010 14:23:24 -0800
Message-ID: <7789133a1001091423n1b4db740j279e30a823348c4b@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <w3c@adambarth.com> wrote:
>> That's the security model we have.  For example, it's safe to return
>> untrusted HTML tags with certain media types but not with others.
>
> Just because the Same Origin Policy is full of bizarre gotchas doesn't
> mean the UMP must also be. Using the UMP with permission tokens
> eliminates several of the gotchas. I'm taking every opportunity I can
> to provide developers with a more reasonable security model. Surely a
> security expert must applaud this effort.

You're making the security model *weaker* though.  Why not make it stronger?

Your reaction to a small (i.e., partial) leak of information in one
media type is to open the floodgates for leaking all information about
all media types.  That doesn't make any sense.

By way of example, suppose images leaked information about their
height and width (which they do!), does that means we should disclose
all maner of confidential information stored in HTML documents?

>> I'm glad you consider CORS to be the epitome of a secure design.  :)
>
> Does the smiley imply that you don't consider CORS to be a good
> example of secure design?

My point is more that UMP should be a subset of CORS (which we're
selecting based on some principled notions about security).  Having
the security model for UMP be tighter than CORS in some places and
looser than CORS in others doesn't seem like a good idea.

Adam
Received on Saturday, 9 January 2010 22:24:18 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT