- From: Tyler Close <tyler.close@gmail.com>
- Date: Thu, 10 Dec 2009 11:53:51 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-webapps@w3.org
On Thu, Dec 10, 2009 at 10:17 AM, Ian Hickson <ian@hixie.ch> wrote: > That looks _really_ complicated. By many measures, your CORS based solution is more complicated. 1. It requires a login to Site A for every login to Site B, wheres the UMP solution does not. That means the UMP solution has: - fewer HTTP requests across the full lifetime of the interaction - fewer user interactions across the full lifetime of the interaction 2. It creates a CSRF-like vulnerability. In an interaction with Site C, Site B must be careful with how it handles the response to a GET request done on at the direction of Site C. For the GET request, Site C could provide the well-known URL for user feeds. A page from Site B could then inadvertently expose this data to Site C because the code wasn't written with the expectation that Site A might be involved. By using UMP, this class of attacks on the page from Site B is impossible. 3. The CORS solution is not implementable for popular user agents today. The XDR API does not support the kind of request the CORS solution needs to make. The UMP solution can be implemented in a cross-platform way today (the code needs browser specific customizations for different constructor names and parameters, but it can work). The UMP spec may not be exactly what you had in mind; but I believe I've shown that it meets all the requirements, is safer, and represents a consensus amongst current deployments. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Thursday, 10 December 2009 19:54:24 UTC