- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 2 Apr 2008 17:48:57 -0700
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: Jonas Sicking <jonas@sicking.cc>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote: > > Sending the user's cookies, as AC4CSR does, is just not a viable > design, since the target resource cannot determine whether or not > the user consented to the request. I've posted several explanations > of the attacks enabled by this use of ambient authority, and, in my > opinion, the issues are still outstanding. The use of ambient > authority in AC4CSR is a show-stopper, as reflected in the decision > Mozilla announced on this mailing list. Can you please post these examples again, or pointers to where you posted them? I believe they have not been previously seen on the Web API list. A number of people have mentioned that the AC approach to cross-site XHR is insecure (or that XDR is somehow more secure), but I have not yet seen any examples of specific attacks. I would love to see this information. If I do not see a description of a specific attack soon I will assume these claims are just FUD. Note also that sending of cookies is not an essential feature of AC4CSR; certainly it could be a viable spec with that feature removed. Do you believe there are any other showstopper issues? Regards, Maciej
Received on Thursday, 3 April 2008 00:49:42 UTC