- From: Kris Zyp <kris@sitepen.com>
- Date: Sat, 24 Oct 2009 07:33:06 -0600
- To: David-Sarah Hopwood <david-sarah@jacaranda.org>
- CC: public-webapps@w3.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David-Sarah Hopwood wrote: > Doug Schepers wrote: >> I'm not at all a security expert, or even particularly >> well-informed on the topic, but it does occur to me that most of >> CORS' opponents seem very much in the capability-based security >> camp [1], and may distrust or dislike something more >> "authentication-based" like CORS. > > The reason for that is that the main issue here is CSRF attacks, > which are a special case of a class of vulnerabilities (confused > deputy attacks) that capability systems are known to prevent, but > that other access control systems are generally vulnerable to. So > it is not surprising that proponents of capability systems would be > more likely to recognize the importance of this issue. If I had to briefly describe CORS it would be a specification for allowing cross site requests will minimizing the transfer of common forms of ambient authority. Isn't that exactly what capability theory would advise? > > Indeed the most common -- and arguably most effective -- defence > against CSRF is to use an unguessable token as an authenticator. > That token is a sparse capability, used in essentially the same way > that a capability system would use it. > With the current design that of defaulting to not sending headers that usually supply ambient authority (Cookie, Authorization that would otherwise be delivered automatically), it seems like we are indeed pushing developers to use more capability style techniques like unguessable tokens. I am totally in favor of capability systems, but the main criticism here seems to be around CORS overall design, and it seems to me that the overall design is a great fit for capability based approaches. - -- Kris Zyp SitePen (503) 806-1841 http://sitepen.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrjAhIACgkQ9VpNnHc4zAxupgCdFZdZMUqh2iMu4tJHyFa9RpPQ U/AAnR97OGcqev31NS0q7iCsmgA9h3U+ =zeXJ -----END PGP SIGNATURE-----
Received on Saturday, 24 October 2009 13:33:47 UTC