- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 19 Jun 2008 17:37:47 -0700
- To: Ian Hickson <ian@hixie.ch>
- CC: Web Applications Working Group WG <public-webapps@w3.org>
Ian Hickson wrote: > On Thu, 19 Jun 2008, Jonas Sicking wrote: >> The site is as always responsible for asking the user before allowing >> third-party access to private data, and yes, if they fail to do so >> properly they will be vulnerable. > > So I guess I don't really understand what your proposal solves, then. It > seems like a lot of complexity for only a very minimal gain in only one > very specific scenario (the site doesn't ever return cookie-based data > cross-site). We're still relying on the author not making mistakes, > despite "the author will make a mistake" being our underlying assumption. > If the site has to know to not include the cookie opt-in header, why not > just have the site ignore the cookies? (It also introduces the problems > that Maciej mentioned, which I think are valid problems.) Well, we are talking about two very different types of misstakes, which I think have very different likelyhoods of happening. If I understand you correctly. One misstake is having URIs in the URI space where you opt in to Access-Control which serve private data without you realizing it. The other mistake is intentionally publishing private data but forgetting to ask your users first before doing so. Seems to me that the former is a lot more likely than the latter. / Jonas Btw, I just realized that this thread says "version 3", not sure why I made that mistake, this is obviously "version 2" :)
Received on Friday, 20 June 2008 00:37:52 UTC