Re: [cors] TAG request concerning CORS & Next Step(s)

On Thu, Oct 8, 2009 at 8:06 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson <ht@inf.ed.ac.uk>
> wrote:
>>
>> One point of clarification: my (admittedly imperfect) understanding
>> was that the most important parts of CORS have to be implemented
>> _server_-side for the proposal to achieve its goals.  If that's true,
>> browser deployment alone is insufficient.  Is that a misunderstanding
>> on my part?
>
> As was pointed out elsewhere in this thread it was.

The core criticism that several of us have raised about CORS has never
been addressed -- that it creates further confused deputy problems.
Rather than addressing the "first order" confused deputy problem of
CSRF, it merely postpones it one level, creating second order confused
deputy problems. See Tyler's example.



> I was wondering if the TAG considers this item closed or wishes to know
> something more, in which case I'd like to hear about it! I'm trying to wrap
> up email threads and this is one of them. Thanks!

If the confused deputy problems created by CORS have already been
addressed, I'd like to hear about that. Did I miss part of the thread?


> Kind regards,
>
>
> PS: The remainder of this thread about redirects and CSRF is being taken
> care of by updates to both CORS and the Origin header draft Adam is working
> on. In short Origin will most likely become a space-separated list revealing
> the entire request chain.

Please go back and read "Origin isn't". The redirect problem Tyler
pointed out was merely a symptom of a deeper problem. Tyler was able
to identify this symptom because he does not regard the underlying
problem as merely theoretical. The Origin list "solution" is curing
the symptom only.


>
> --
> Anne van Kesteren
> http://annevankesteren.nl/
>
>



-- 
    Cheers,
    --MarkM

Received on Thursday, 8 October 2009 16:08:01 UTC