Re: Semi-public resources in Uniform Messaging from Ian Hickson on 2009-12-10 (public-webapps@w3.org from October to December 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 Dec 2009 20:19:16 +0000 (UTC)
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps@w3.org
Message-ID: <Pine.LNX.4.62.0912102015010.16061@hixie.dreamhostps.com>

On Thu, 10 Dec 2009, Tyler Close wrote:
> On Thu, Dec 10, 2009 at 10:17 AM, Ian Hickson <ian@hixie.ch> wrote:
> > That looks _really_ complicated.
> 
> By many measures, your CORS based solution is more complicated.

The measure I care about is how easy is it to explain and implement. By 
that measure, CORS is simpler. (It's not my solution, by the way; I 
personally haven't really been involved in CORS' development and don't 
really have a horse in this race.)

> 1. It requires a login to Site A for every login to Site B, wheres the
> UMP solution does not. That means the UMP solution has:
> - fewer HTTP requests across the full lifetime of the interaction
> - fewer user interactions across the full lifetime of the interaction

In practice, Site A has a login mechanism already, so this isn't a big 
deal. (If it didn't, then it wouldn't have per-user data that it could 
expose to multiple other sites.)

> 2. It creates a CSRF-like vulnerability. In an interaction with Site C, 
> Site B must be careful with how it handles the response to a GET request 
> done on at the direction of Site C. For the GET request, Site C could 
> provide the well-known URL for user feeds. A page from Site B could then 
> inadvertently expose this data to Site C because the code wasn't written 
> with the expectation that Site A might be involved.

This only happens if you use URIs as tokens, which I strongly believe is a 
bad idea in general. It's simpler, and safe, not to.

> 3. The CORS solution is not implementable for popular user agents today. 
> The XDR API does not support the kind of request the CORS solution needs 
> to make. The UMP solution can be implemented in a cross-platform way 
> today (the code needs browser specific customizations for different 
> constructor names and parameters, but it can work).

Indeed. Today that's what people do. It's complicated and I'd like us to 
provide a simpler solution.

> The UMP spec may not be exactly what you had in mind; but I believe I've 
> shown that it meets all the requirements, is safer, and represents a 
> consensus amongst current deployments.

I honestly think that any benefit that might be reaped from avoiding 
sending the Origin explicitly is completely outweighed by the risks 
involved in having such a complicated implementation.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 10 December 2009 20:19:54 UTC