W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Feedback on UMP from a quick read

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 9 Jan 2010 15:03:22 -0800
Message-ID: <7789133a1001091503t2d5f1217tbb0f3007417f869e@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 2:39 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Sat, Jan 9, 2010 at 2:23 PM, Adam Barth <w3c@adambarth.com> wrote:
>> On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>> On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <w3c@adambarth.com> wrote:
>>>> That's the security model we have.  For example, it's safe to return
>>>> untrusted HTML tags with certain media types but not with others.
>>>
>>> Just because the Same Origin Policy is full of bizarre gotchas doesn't
>>> mean the UMP must also be. Using the UMP with permission tokens
>>> eliminates several of the gotchas. I'm taking every opportunity I can
>>> to provide developers with a more reasonable security model. Surely a
>>> security expert must applaud this effort.
>>
>> You're making the security model *weaker* though.  Why not make it stronger?
>>
>> Your reaction to a small (i.e., partial) leak of information in one
>> media type is to open the floodgates for leaking all information about
>> all media types.  That doesn't make any sense.
>
> Originally, you characterized your scenario as obscure. Now you say
> it's opening the floodgates. I don't find your frequent outbursts of
> hyperbole at all constructive. Others have pointed this out more
> subtly, but I guess you didn't get the hint.

The scenario is obscure.  My point is that your reasoning doesn't make sense.

> In any case, I thought following of non-uniform redirects was the
> original semantics introduced by CORS and so decided to retain it.
> Like I said in the last email, I am reconsidering that based on
> Maciej's correction.

Great.  :)

> And just to be clear. In no reasonable way can either decision be said
> to "open the floodgates". I also don't see any reasonable way to
> conclude that the UMP security model is weaker than CORS. Those are
> some pretty outlandish claims to try to prove.

What I'm saying is that it isn't strictly stronger.  It's weaker in
some places and stronger in others.  IMHO, UMP ought to be strictly
more secure than CORS.  Sure, the cases where it's weaker are obscure,
but that doesn't mean we should let UMP have "bizarre gotchas."

Adam
Received on Saturday, 9 January 2010 23:04:15 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT