Re: UMP / CORS: Implementor Interest

On Wed, Apr 21, 2010 at 7:40 PM, Maciej Stachowiak <mjs@apple.com> wrote:

> I'm not trying to draw a bright line here between categories of software,
> rather I am looking into the reason this proposed API would exist. The
> purpose is to avoid passively including any credentials that would identify
> the user, identify the requesting site, or otherwise convey ambient
> authority. Right? So what's a good word to express that? Maybe "Anonymous"
> is not the best word to capture that concept, but "Uniform" does not seem to
> capture it either. I don't think most people would make the leap that
> "Uniform" means, "please, browser, don't add any credentials". Whereas I
> think "Anonymous" does convey that intent. There may be an even better
> words, but I think "Anonymous" is a really good fit.
>
> Consider Tor. Tor calls itself "a distributed, anonymous network", and most
> would agree that is a fair label. However, no one assumes that Tor will
> prevent you from typing your real name or other indentifying information
> into a Web page, or stop you from uploading a file that includes a PGP
> signature. What it does try to do is ensure that such information is not
> conveyed to anyone passively. That seems to match the intent of UMP (and the
> UMP-like subset of CORS) - no identifying information is passively added,
> but the sender is free to explicitly add it themselves.
>
> Thanks, the Tor example is clarifying. Tor attempts to actually provide
anonymity, by attempting to hide all information that might be inadvertently
identifying, like IP address, traffic patterns, or other side channels. The
threat model includes an attacker that may be trying to identify the user
despite the absence of any purposely included identifying information.
UniformRequests provide no such protection, and so should not seem to
promise such. Since authorizing decisions only rely on overt information,
prevention of CSRF-like vulnerabilities need only be concerned about overt
information. Suppressing side channels is *much* harder.

Q: "I sent my messages using AnonXmlHttpRequest. How did the secret police
know I was a dissident?"
A: "The name 'AnonXmlHttpRequest' was chosen to clarify the security
property it provides: absence of CSRF-like vulnerabilities. Why did you
think it provided anonymity?"




> This Working Group also did not agree to standardize [JSONRequest and XDR],
> though both were proposed. We have no say in what names third parties use in
> nonstandard APIs.
>
> In addition, they both of these APIs gratuitously different from
> XMLHttpRequest in ways other than security policy. I would suggest that we
> not do that with the proposed new constructor.
>

On that we agree.



>
>
> Regards,
> Maciej
>
>
>
>


-- 
    Cheers,
    --MarkM

Received on Thursday, 22 April 2010 03:30:42 UTC