W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: CfC: to publish new WD of CORS; deadline July 20

From: Mark S. Miller <erights@google.com>
Date: Tue, 13 Jul 2010 08:50:26 -0700
Message-ID: <AANLkTinCuXMdcOMJK3XkqDBGpuQEHWtA-5dhCwoQBgkf@mail.gmail.com>
To: art.barstow@nokia.com
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow <art.barstow@nokia.com>wrote:

> All,
>
> Anne proposed WebApps publish a new WD of the CORS spec (last published in
> March 2009):
>
>  http://dev.w3.org/2006/waf/access-control/
>
> If you have any comments or concerns about this proposal, please send them
> to public-webapps by July 20 at the latest.
>
> As with all of our CfCs, positive response is preferred and encouraged and
> silence will be assumed to be assent.
>
> -Art Barstow
>


Hi Art,

Just a reminder that the Security Consider sections <
http://dev.w3.org/2006/waf/access-control/#security> needs to say more. Our
last discussion of it at <
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0709.html>
left the issue with:


   > For example, will the Security Considerations
   > section of CORS have to say:
   >
   > "It is not safe in CORS to make a GET request for public data using a
   > URL obtained from a possibly malicious party. Validating the URL
   > requires global knowledge of all origins that might grant special
   > access to the requestor's origin, and so return private user data."

   Yes, one would imagine saying something quite similar to that.

[...]

   I am attempting to highlight that neither solution is a panacea, and
   that you need to be aware of the limitations of either approach. The
   UMP "Security Considerations" section has a long list of SHOULDs that
   need to be followed in order for the approach to be secure, just as
   the HTTP-State draft does, and just as the CORS spec should.


Has anyone been working towards a revised Security Considerations section?

-- 
    Cheers,
    --MarkM
Received on Tuesday, 13 July 2010 15:51:06 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:39 GMT