- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 12 May 2010 17:39:24 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, 12 May 2010, Tyler Close wrote: > On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote: > > On Tue, 11 May 2010, Tyler Close wrote: > >> > >> CORS introduces subtle but severe Confused Deputy vulnerabilities > > > > I don't think everyone is convinced that this is the case. > > AFAICT, there is consensus that CORS has Confused Deputy > vulnerabilities. I can pull up email quotes from almost everyone > involved in the conversation. There's clearly not complete consensus since at least I disagree. > It is also not a question of opinion, but fact. CORS uses ambient > authority for access control in 3 party scenarios. CORS is therefore > vulnerable to Confused Deputy. That's like saying that HTML uses markup and is therefore vulnerable to markup injection. It's a vast oversimplification and overstatement of the problem. It is quite possible to write perfectly safe n-party apps. > > It is certainly possible to mis-use CORS in insecure ways, but then > > it's also possible to mis-use UMP in insecure ways. As far as I can > > tell, confused deputy vulnerabilities only occur with CORS if you use > > it in inappropriate ways, such as sharing identifiers amongst > > different origins without properly validating that they aren't > > spoofing each other. > > In the general case, including many common cases, doing this validation > is not feasible. That's nonsense. You have to make sure you don't rely on identifiers to confer authority, but that's just a matter of good design. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 12 May 2010 17:39:53 UTC