Re: Powerbox: UMP & CORS

Hi Robin,

There are two crucial constraints on the HTTP requests made by the
Powerbox: they must work cross-domain, and they must not use
credentials, such as HTTP cookies. If credentials were used, Powerbox
requests could be readily used for CSRF-like attacks. Fortunately,
both UMP and CORS agree on the need to support these features. The
CORS editor has recently been working to add support for these
features to CORS, though this support is not yet adequate to support
the Powerbox scenario. In general, you can think of UMP as a subset of
CORS, so by keeping within the UMP subset, we ensure the Powerbox will
be able to work with whichever is standardized.

I'm hoping to keep the UMP acronym for the Uniform Messaging Policy.
The name does a good job of capturing the purpose of the mechanism.
It's a security policy that's an alternative to the Same Origin Policy
and it works by making messages uniform and so independent of the
client's origin. The acronym just falls out of the name. There's no
intended association with any colliding acronyms that may come to mind
for a Frenchman.

--Tyler

On Mon, Mar 1, 2010 at 5:34 AM, Robin Berjon <robin@robineko.com> wrote:
> Hi,
>
> I just wanted to clarify a small detail concerning Powerbox. The proposal mentions relying on UMP for access; I have nothing against Unified Messaging, but it's currently a fairly early draft and it's unclear what solution will eventually be gravitated towards. I can't see any specific reason why the same proposal couldn't be used with CORS (or whatever we end up with). Am I right in presuming that it's saying UMP now, but it could in fact be another similar option?
>
> PS: any chance of changing the UMP acronym to something else? ;-)
>
> --
> Robin Berjon
>  robineko — hired gun, higher standards
>  http://robineko.com/
>
>
>
>
>
>



-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Monday, 1 March 2010 16:48:03 UTC