W3C home > Mailing lists > Public > www-tag@w3.org > December 2011

Re: Fwd: CfC: CORS to advance to Last Call

From: Jonathan A Rees <rees@mumble.net>
Date: Tue, 20 Dec 2011 10:44:12 -0500
Message-ID: <CAGnGFMJ=NZEbeay3P85CaRHV-M1NvW5GWazj2LUhJXG6tF0a1w@mail.gmail.com>
To: ashok.malhotra@oracle.com
Cc: www-tag@w3.org
I need to look at the state of play, but if I remember correctly,
concerns about CORS's confused deputy vulnerabilities were raised
(vulnerabilities not shared with UMP). These were answered with a
proposed policy called "don't be a deputy" or DBAD. A request was then
made that this policy be documented and put in the spec as a security
consideration, but I didn't see how this turned out and haven't
checked the latest draft to see if the concerns were answered... will
try to get to this but can't promise much attention to it this week.

Again, memory may fail me but I thought that a "don't send
credentials" flag was added to CORS to support UMP-like access
patterns. If so then one could imagine that a user who came to believe
full CORS was too risky would be given the option, in a browser
configuration panel, to turn off full CORS while retaining the UMP
subset. Or that a browser provider interested in protecting users
might make the same decision categorically. (I know, it's a
stretch...)

I've been playing with an authentication-based (ABAC) sentinel system
called Little Snitch, which is similar to CORS in some ways. It's nice
but it certainly illustrates why it's hard to convince yourself that
ABAC systems are secure - you're confronted with a series of questions
"is it OK for program PPP to talk to host HHH over port NNN?" which
end up being hard to answer because you usually can't assess the risk
that a given program might be a confused deputy. LS tries to give you
some of the deputization stack (call stack) to help you out (again
this is similar to CORS), but I haven't found this all that helpful.

Jonathan

On Tue, Dec 20, 2011 at 9:11 AM, ashok malhotra
<ashok.malhotra@oracle.com> wrote:
> Jonathan:
> IIRC, there was some conflict between CORS and UMP.
> Should look at that again?
> All the best, Ashok
>
>
> On 12/19/2011 7:23 PM, Noah Mendelsohn wrote:
>>
>> Thank you Jonathan. I've looked a bit at CORS, and even wrote a simple toy
>> app that wound up using it.
>>
>> Question: are we at a point where we can net out what, if anything, are
>> likely areas of concern for the TAG regarding CORS? I remember that we had
>> detailed discussions over a year ago, but no longer recall whether we had
>> particular concerns, or just a sense that CORS is a development that we
>> should understand and track. Thank you.
>>
>> Noah
>>
>> On 12/19/2011 2:21 PM, Jonathan A Rees wrote:
>>>
>>> ACTION-344: Alert TAG chair when CORS and/or UMP goes to LC to trigger
>>> security review
>>>
>>> CORS hasn't gone to LC yet, but I wanted to attach this email to the
>>> tracker log for this action, as it appears to be immanent.
>>>
>>> Jonathan
>>>
>>> ---------- Forwarded message ----------
>>> From: Hill, Brad<bhill@paypal-inc.com>
>>> Date: Mon, Dec 19, 2011 at 1:40 PM
>>> Subject: CfC: CORS to advance to Last Call
>>> To: "public-webappsec@w3.org"<public-webappsec@w3.org>, "WebApps WG
>>> (public-webapps@w3.org)"<public-webapps@w3.org>
>>>
>>> As discussed in the WebAppSec WG call on Dec 6, the editor would like
>>> to promote Cross-Origin Resource Sharing (CORS) to Last Call and this
>>> is a Call for Consensus to do so:
>>>
>>>
>>>
>>> http://www.w3.org/TR/2010/WD-cors-20100727/
>>>
>>>
>>>
>>> This CfC satisfies the group's requirement to "record the group's
>>> decision to request advancement".
>>>
>>>
>>>
>>> Positive response to this CfC is preferred and encouraged and silence
>>> will be considered as agreement with the proposal. The deadline for
>>> comments is January 3, 2012.  Please send all comments to:
>>>
>>>
>>>
>>> public-webappsec@w3.org
>>>
>>>
>>>
>>> Thank you,
>>>
>>>
>>>
>>> Brad Hill
>>>
>>>
>>
>
Received on Tuesday, 20 December 2011 15:44:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:44 GMT