W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: CfC: to publish new WD of CORS; deadline July 20

From: Mark S. Miller <erights@google.com>
Date: Tue, 13 Jul 2010 08:50:26 -0700
Message-ID: <AANLkTinCuXMdcOMJK3XkqDBGpuQEHWtA-5dhCwoQBgkf@mail.gmail.com>
To: art.barstow@nokia.com
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow <art.barstow@nokia.com>wrote:

> All,
> Anne proposed WebApps publish a new WD of the CORS spec (last published in
> March 2009):
>  http://dev.w3.org/2006/waf/access-control/
> If you have any comments or concerns about this proposal, please send them
> to public-webapps by July 20 at the latest.
> As with all of our CfCs, positive response is preferred and encouraged and
> silence will be assumed to be assent.
> -Art Barstow

Hi Art,

Just a reminder that the Security Consider sections <
http://dev.w3.org/2006/waf/access-control/#security> needs to say more. Our
last discussion of it at <
left the issue with:

   > For example, will the Security Considerations
   > section of CORS have to say:
   > "It is not safe in CORS to make a GET request for public data using a
   > URL obtained from a possibly malicious party. Validating the URL
   > requires global knowledge of all origins that might grant special
   > access to the requestor's origin, and so return private user data."

   Yes, one would imagine saying something quite similar to that.


   I am attempting to highlight that neither solution is a panacea, and
   that you need to be aware of the limitations of either approach. The
   UMP "Security Considerations" section has a long list of SHOULDs that
   need to be followed in order for the approach to be secure, just as
   the HTTP-State draft does, and just as the CORS spec should.

Has anyone been working towards a revised Security Considerations section?

Received on Tuesday, 13 July 2010 15:51:06 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 14:36:44 UTC