Re: [cors] Review from Ian Hickson on 2009-06-18 (public-webapps@w3.org from April to June 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 18 Jun 2009 07:23:17 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0906180603100.16244@hixie.dreamhostps.com>

On Wed, 17 Jun 2009, Tyler Close wrote:
> >>
> >> We should make sure CORS is not being unduly conservative.
> >
> > When we're talking about security, I don't think being unduly 
> > conservative is a bad thing at all.
> 
> So turn off your computer then. ;) "unduly" is always undue.

Er, my bad. I mean, I don't think that CORS is being unduly conservative. 
I think being very conservative when it comes to security is no bad thing.

> Huh. So, how should we proceed? Should we drop this proposal on the 
> hypothesis that there might exist resources that require the more 
> conservative approach taken by CORS? Regardless of the costs this 
> imposes?

I don't think we need to worry about the intranet case given the public 
IP-based authentication case which is also broken by this proposal.

> > I've never worked for a company that didn't give me root on my 
> > network-attached machines and let me configure them however I wanted.
> 
> That's fine, but presumably these companies also provide some setup 
> assistance to you. Does Google IT have any way to put configuration 
> settings in your browser? For example, do you install packages from a 
> Google provided repository? I've heard Google uses something called 
> Goobuntu, or some such. Do you install your own machines, or does Google 
> do that for you?

I don't want to comment on Google's internal practices.

In general I have never worked for a company where there haven't been 
computers that are totally independent of any central management. I don't 
think relying on central management is going to work. Even on things like 
my home intranet I have had IP-based authentication CGI scripts with the 
characteristics you describe, and I don't have a central IT management 
plan at home, I assure you. :-)

> I think we should also look for more details here. These systems that 
> are using the client IP address for authentication, is the client 
> computer an end user computer with a browser installed on it?

If the server is a SOAP server, then no. But I don't see how that matters. 
The problem isn't what the regular client is, the problem is what happens 
when a Web browser is the client and sends requests to the server.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 18 June 2009 07:23:53 UTC