- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 14 Dec 2009 16:52:39 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: "Mark S. Miller" <erights@google.com>, Adam Barth <w3c@adambarth.com>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak <mjs@apple.com> wrote: > There seem to be two schools of thought that to some extent inform the > thinking of participants in this discussion: > 1) Try to encourage capability-based mechanisms by not providing anything > that lets you extend the use of origins and cookies. > 2) Try to build on the model that already exists and that we are likely > stuck with, and provide practical ways to mitigate its risks. My own perspective on this is: 3) In scenarios involving more than 2 parties, the ACL model is inherently vulnerable to CSRF-like problems. So, for cross-origin scenarios, a non-ACL model solution is needed. The above is a purely practical perspective. When writing or auditing code, UM provides a way to eliminate an entire class of attacks. I view it the same way I do moving from C to a memory safe language to avoid buffer overflow and related attacks. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 15 December 2009 00:53:21 UTC