Re: CORS versus Uniform Messaging? from Mark S. Miller on 2009-12-13 (public-webapps@w3.org from October to December 2009)

From: Mark S. Miller <erights@google.com>
Date: Sun, 13 Dec 2009 08:54:58 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Tyler Close <tyler.close@gmail.com>, Ian Hickson <ian@hixie.ch>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <4d2fac900912130854q401bde40x33fa2edf1679e569@mail.gmail.com>

On Sat, Dec 12, 2009 at 7:17 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Thu, Dec 10, 2009 at 12:04 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> > On Thu, Dec 10, 2009 at 10:53 AM, Arthur Barstow <Art.Barstow@nokia.com>
> wrote:
> >> Ideally, the group would agree on a single model and this could be
> achieved
> >> by converging CORS + UM, abandoning one model in deference to the other,
> >> etc.
> >>
> >> Can we all rally behind a single model?
> >
> > I'm not sure that we want to. My impression is that both models have
> > their advantages and risks. They basically implement two different
> > security design philosophies, and I'm not confident that there is a
> > winner, or that we can correctly pick one.
>
> I agree with Jonas.  It seems unlikely we'll be able to
> design-by-commitee around a difference in security philosophy dating
> back to the 70s.

Hi Adam, the whole point of arguing is to settle controversies. That is how
human knowledge advances. If after 40 years the ACL side has no defenses
left for its position, ACL advocates should have the good grace to concede
rather than cite the length of the argument as a reason not to resolve the
argument.

> > CORS seems easier in the simpler cases when no website acts as a
> > deputy. UM seems less likely to cause confused deputy problems when a
> > website acts as a deputy and receives urls from third parties (either
> > by fetching them over the network, or by having third party code
> > running in their domain using something like caja).
>
> I also agree with Jonas on these points.  What might make the most
> sense is to let the marketplace decide which model is most useful.
> The most likely outcome (in my mind) is that they are optimized for
> different use cases and will each find their own niche.
>

Of course it is left for the marketplace to decide. The W3C has no
enforcement powers. We cannot arrest anyone for deviating from our
standards. The purpose of standards committees is to influence these market
decisions. We have seen the consequence of bad web standards in the
marketplace -- they are generally implemented. We should not abdicate our
responsibility to advise the market by producing good standards.

-- 
   Cheers,
   --MarkM

Received on Sunday, 13 December 2009 16:55:31 UTC