W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Feedback on UMP from a quick read

From: Tyler Close <tyler.close@gmail.com>
Date: Sun, 10 Jan 2010 14:54:17 -0800
Message-ID: <5691356f1001101454v66753e23ne268eb50c58e014f@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Sun, Jan 10, 2010 at 6:54 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> What I meant to say was that the weak confidentiality
> protection for ECMAScript should not be used as an excuse to weaken
> protection for other resources.

And I was never proposing to weaken existing protection for other
resources. My reasoning rested on two points:
1. I thought this redirect behavior was the CORS defined behavior.
2. Even if it's not, this WG is currently defining the security model
for newly allowed cross-domain requests. It's reasonable to say that
if you refer to a resource using a guessable URL and respond to a
uniform GET request with a response marked as accessible by any
origin, then there's no confidentiality. This rule has no impact on
the security of existing resources, since they don't yet have a Same
Origin Policy opt-out header. This rule has the advantage of covering
up the bizarre Same Origin Policy handling of ECMAScript data, thus
eliminating a dangerous security gotcha for developers. It's bad when
developers think they've implemented a design that provides
confidentiality, and that turns out not to be true. We should be
trying for a simple set of rules that yield easily predictable
results.

> This is a leaky and awkward hole but it does
> not justify ignoring more general confidentiality concerns in any context.

Again, I wasn't doing that. I was looking at one very specific context
that doesn't even exist yet, because we're currently defining it.

> Adam's analogy was that the widespread existence of XSS bugs is not a reason
> to remove all cross-domain protection either.

That would be an extremely foolish thing to propose. I don't think I
was being extremely foolish. The analogy is a poor one.

> While it's not a 100% on-point
> analogy, I got the point he was making and I recognize that it is similar to
> my own.

In that case, please consider the argument I present at the top of
this email. The proposal is different from what you've understood.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Sunday, 10 January 2010 22:54:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT