Re: UMP / CORS: Implementor Interest

On Tue, May 11, 2010 at 12:36 PM, Arthur Barstow <> wrote:
> Jonas, Anne, Tlyer, All,
> On May 11, 2010, at 3:08 PM, ext Jonas Sicking wrote:
>> Personally I would prefer to see the "UMP model" be specced as part of
>> the CORS spec, mostly to avoid inevitable differences between two
>> specs trying to specify the same thing. And creating an authoring
>> guide specifically for the UMP security model to help authors that
>> want to just use UMP.
> Yes, I would also prefer that. Are there any technical reason(s) this can't
> be done?

CORS introduces subtle but severe Confused Deputy vulnerabilities
which should prevent it from being standardized. Some believe/hope
these vulnerabilities can be mitigated, but the suggested techniques
are not well explained yet, will be overly constraining and will not
work in many common cases. So far, the CORS document does not even
explain these problems, let alone offer convincing solutions.


"Waterken News: Capability security on the Web"

Received on Tuesday, 11 May 2010 20:03:18 UTC