Re: [UMP] Request for Last Call

On Wed, Apr 7, 2010 at 8:50 PM, Maciej Stachowiak <> wrote:
On Thu, Apr 8, 2010 at 5:40 AM, Tyler Close <> wrote:
> I think there is a burden on CORS to explain the
> "Don't Be A Deputy" (DBAD) policy you've claimed enables developers to
> safely use CORS. If this policy is fully explained to developers, I
> believe its restrictions will seem onerous and error prone. If this
> policy is not successfully communicated to developers, CORS creates a
> subtle and dangerous security trap of a kind we've seen developers
> fall victim to already with CSRF attacks.

I have yet to receive a response to the above and think it should be
an explicit requirement for resolving ISSUE-108
<>. Hopefully the
tracker will catch and track this email.


"Waterken News: Capability security on the Web"

Received on Monday, 19 April 2010 18:39:20 UTC