W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Server opt-in

From: Devdatta <dev.akhawe@gmail.com>
Date: Tue, 12 Jan 2010 19:12:27 -0800
Message-ID: <ecf35a1b1001121912o3c1eab89x529b78043f86e40a@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>, Tyler Close <tyler.close@gmail.com>
> My question, then, is how can a server enjoy the confidentiality
> benefits of UMP without paying the security costs of CORS?  As
> currently specced, a server needs to take all the CORS risks in order
> to use UMP.  That seems unnecessary.

The page at http://dev.w3.org/2006/waf/UMP/#security clearly mentions
that if you want to have confidentiality benefits of UMP you need to
ensure that resources you want accessed only by particular principals
need to use explicit permission tokens (some nonce I presume).

I don't understand how a server that protects all its relevant
resources through a nonce/permission token can lose confidentiality or
have any "security costs of CORS" just by doing
Access-Control-Allow-Origin: * ?

Received on Wednesday, 13 January 2010 03:13:21 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:22 UTC