W3C home > Mailing lists > Public > www-tag@w3.org > December 2011

Re: CfC: CORS to advance to Last Call

From: Jonathan A Rees <rees@mumble.net>
Date: Tue, 20 Dec 2011 20:06:17 -0500
Message-ID: <CAGnGFML5U-w0YM6kGUxke5buSUndq=LPiD1y5X49QyAeERYA2Q@mail.gmail.com>
To: Thomas Roessler <tlr@w3.org>
Cc: Ashok Malhotra <ashok.malhotra@oracle.com>, "www-tag@w3.org List" <www-tag@w3.org>, Brad Hill <bhill@paypal-inc.com>, Eric Rescorla <ekr@rtfm.com>
On Tue, Dec 20, 2011 at 6:26 PM, Thomas Roessler <tlr@w3.org> wrote:
> On 2011-12-20, at 16:44 +0100, Jonathan A Rees wrote:
>
>> If so then one could imagine that a user who came to believe
>> full CORS was too risky would be given the option, in a browser
>> configuration panel, to turn off full CORS while retaining the UMP
>> subset. Or that a browser provider interested in protecting users
>> might make the same decision categorically. (I know, it's a
>> stretch...)
>
> Copying the chairs of webappsec; not sure they're following the discussion on www-tag.
>
> Brad, Ekr -- thread starts here:
>        http://lists.w3.org/Archives/Public/www-tag/2011Dec/0091.html
>
>
> I wanted to make two high-level points:
>
> 1. The choice of security policy in the browser is an important choice, but it's not just the user's.  CORS and UMP hiding behind the very same API, and applications being unable to predict which is which, is a recipe for web applications breaking in inscrutable ways.  That'll lead to a very nasty mix of functionality and security breakages.
>
>
> 2. Some very smart people have been arguing back and forth about CORS v. UMP for a long time now.  (But note that the current version of CORS seems to have a lot of buy-in from the industry, and I haven't seen any interest in pushing UMP forward lately...)
>
> You don't seriously believe that exposing that choice in a browser setting even approximates something like a good idea, right?

Approximately 30% of what I write on www-tag is tongue in cheek to at
least some extent. I try to have fun with this standards business,
since otherwise it can become rather dismal.

The number of people who would understand such a control, and
therefore be able to use it correctly, is approximately zero. Of those
who would understand it, probably 100% would choose a different way to
safeguard themselves (if they felt one was needed), such as turning
off Javascript. So you are right, such a control would be pointless.

I don't think "industry is clamoring for it" is a very good criterion
for judging attempts to protect users' interests. For the most part
industry, like most people most of the time, only cares about
functionality, and security mostly just gets in the way of getting
things done. (Yes, that was flippant.)

Historically I suppose security holes are plugged as attacks
exploiting them mount. I'm just trying to put a positive spin on the
CORS/UMP situation by saying that the ground to which the community
would have to retreat if confused deputy attacks start being a problem
will already be there if there's a UMP option built in (as I think it
is), so deploying a defense would only require removing the
CORS-proper part, not the creation a whole new mechanism.

Jonathan
Received on Wednesday, 21 December 2011 01:06:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:44 GMT