- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 19 Apr 2010 11:38:47 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: marcosc@opera.com, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak <mjs@apple.com> wrote: On Thu, Apr 8, 2010 at 5:40 AM, Tyler Close <tyler.close@gmail.com> wrote: > I think there is a burden on CORS to explain the > "Don't Be A Deputy" (DBAD) policy you've claimed enables developers to > safely use CORS. If this policy is fully explained to developers, I > believe its restrictions will seem onerous and error prone. If this > policy is not successfully communicated to developers, CORS creates a > subtle and dangerous security trap of a kind we've seen developers > fall victim to already with CSRF attacks. I have yet to receive a response to the above and think it should be an explicit requirement for resolving ISSUE-108 <http://www.w3.org/2008/webapps/track/issues/108>. Hopefully the tracker will catch and track this email. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 19 April 2010 18:39:20 UTC