W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Server opt-in

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 12 Jan 2010 14:57:36 -0800
Message-ID: <7789133a1001121457sb1ff29bse20928d180289e33@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 2:47 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth <w3c@adambarth.com> wrote:
>> Let my phrase my question another way.  Suppose the following situation:
>>
>> 1) I'm a server operator and I want to provide a resource to other web sites.
>> 2) I've been reading public-webapps and I'm concerned about the
>> ambient authority in CORS.
>>
>> How can I share my resource with other web sites and enjoy the
>> security benefits of UMP?
>
> Follow the advice given in the "Security Considerations" section of
> the UMP spec:
>
> http://dev.w3.org/2006/waf/UMP/#security

As a server operator, why can't I follow that advice with CORS?
Nothing there seems specific to UMP.

I don't understand how UMP is helping server operators deal with the
risks of ambient authority.  When a server operator makes a resource
available via UMP, they're also making it available to CORS with it's
attendant security model.

Adam
Received on Tuesday, 12 January 2010 22:58:28 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT