Re: UMP / CORS: Implementor Interest

On Tue, 11 May 2010, Tyler Close wrote:
> 
> CORS introduces subtle but severe Confused Deputy vulnerabilities

I don't think everyone is convinced that this is the case. It is certainly 
possible to mis-use CORS in insecure ways, but then it's also possible to 
mis-use UMP in insecure ways. As far as I can tell, confused deputy 
vulnerabilities only occur with CORS if you use it in inappropriate ways, 
such as sharing identifiers amongst different origins without properly 
validating that they aren't spoofing each other.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 12 May 2010 00:16:17 UTC