- From: Tyler Close <tyler.close@gmail.com>
- Date: Tue, 11 May 2010 13:02:45 -0700
- To: Arthur Barstow <Art.Barstow@nokia.com>
- Cc: ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Tue, May 11, 2010 at 12:36 PM, Arthur Barstow <Art.Barstow@nokia.com> wrote: > Jonas, Anne, Tlyer, All, > > On May 11, 2010, at 3:08 PM, ext Jonas Sicking wrote: > >> Personally I would prefer to see the "UMP model" be specced as part of >> the CORS spec, mostly to avoid inevitable differences between two >> specs trying to specify the same thing. And creating an authoring >> guide specifically for the UMP security model to help authors that >> want to just use UMP. > > Yes, I would also prefer that. Are there any technical reason(s) this can't > be done? CORS introduces subtle but severe Confused Deputy vulnerabilities which should prevent it from being standardized. Some believe/hope these vulnerabilities can be mitigated, but the suggested techniques are not well explained yet, will be overly constraining and will not work in many common cases. So far, the CORS document does not even explain these problems, let alone offer convincing solutions. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Tuesday, 11 May 2010 20:03:18 UTC