- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 12 May 2010 09:01:10 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote: > On Tue, 11 May 2010, Tyler Close wrote: >> >> CORS introduces subtle but severe Confused Deputy vulnerabilities > > I don't think everyone is convinced that this is the case. AFAICT, there is consensus that CORS has Confused Deputy vulnerabilities. I can pull up email quotes from almost everyone involved in the conversation. It is also not a question of opinion, but fact. CORS uses ambient authority for access control in 3 party scenarios. CORS is therefore vulnerable to Confused Deputy. > It is certainly > possible to mis-use CORS in insecure ways, but then it's also possible to > mis-use UMP in insecure ways. As far as I can tell, confused deputy > vulnerabilities only occur with CORS if you use it in inappropriate ways, > such as sharing identifiers amongst different origins without properly > validating that they aren't spoofing each other. In the general case, including many common cases, doing this validation is not feasible. The CORS specification should not be allowed to proceed through standardization without providing developers a robust solution to this problem. CORS is a new protocol and the WG has been made aware of the security issue before applications have become widely dependent upon it. The WG cannot responsibly proceed with CORS as is. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 12 May 2010 16:01:44 UTC