Re: corscheck from David Booth on 2010-11-10 (public-awwsw@w3.org from November 2010)

From: David Booth <david@dbooth.org>
Date: Wed, 10 Nov 2010 13:36:38 -0500
To: Jonathan Rees <jar@creativecommons.org>
Cc: nathan@webr3.org, Michael Hausenblas <michael.hausenblas@deri.org>, AWWSW TF <public-awwsw@w3.org>
Message-ID: <1289414198.5492.61323.camel@dbooth-laptop>

This sounds interesting, but I don't understand: What does this have to
do with the Architecture of the World Wide Semantic Web?

David



On Tue, 2010-11-09 at 17:18 -0500, Jonathan Rees wrote:
> I'm still not so sure it's safe in the simplest case. The javascript
> (attacker) can choose to send user credentials including cookies. This
> seems risky in general, and I would think that encouraging even
> minimal use of CORS could lead to trouble, perhaps not directly
> related to the problem you thought you were solving. Maybe it is
> sometimes safe in this particular situation (promise there are no
> credentials set or used at the site!), but a few WG members think it's
> dangerous and as I say it hasn't gotten proper review. You're playing
> with fire.
> 
> Related: http://codebutler.com/firesheep
> 
> Jonathan
> 
> On Tue, Nov 9, 2010 at 4:19 PM, Nathan <nathan@webr3.org> wrote:
> > Michael Hausenblas wrote:
> >>
> >> Hmmmm. I guess what we want to communicate and advocate for (and I agree
> >> we
> >> could make this even more explicit) is: IF you have open (==publically
> >> available) data, use CORS and *not* use CORS for everything no matter
> >> what.
> >
> > Perhaps we just need to focus on Access-Control-Allow-Origin then, because
> > that is in CORS and UMP, and XMLHttpRequest and XDomainRequest, and thus -
> > everywhere, and indeed it's the only one stable bit of all of this which is
> > in all specs and supported at web-scale.
> >
> > That's all we require for "read", and all that's required for linked data,
> > so perhaps some nice wording around Access-Control-Allow-Origin together
> > with a disclaimer that "cors" is referenced because it's the most well known
> > spec.
> >
> > The message remains the same, while being pre-cr compatible.
> >
> > Sound Okay?
> >
> > ps: would that be enough of a reason to warrant adding support on w3.org
> > vocabs?
> >
> > pps: don't think I can post to awwsw, hence you may have to fwd as
> > appropriate.
> >
> > Best,
> >
> > Nathan
> >
> 
> 
> 

-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)
http://dbooth.org/

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

Received on Wednesday, 10 November 2010 18:37:07 UTC