Re: UMP / CORS: Implementor Interest

On Wed, 12 May 2010, Tyler Close wrote:
> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <> wrote:
> > On Tue, 11 May 2010, Tyler Close wrote:
> >>
> >> CORS introduces subtle but severe Confused Deputy vulnerabilities
> >
> > I don't think everyone is convinced that this is the case.
> AFAICT, there is consensus that CORS has Confused Deputy 
> vulnerabilities. I can pull up email quotes from almost everyone 
> involved in the conversation.

There's clearly not complete consensus since at least I disagree.

> It is also not a question of opinion, but fact. CORS uses ambient 
> authority for access control in 3 party scenarios. CORS is therefore 
> vulnerable to Confused Deputy.

That's like saying that HTML uses markup and is therefore vulnerable to 
markup injection. It's a vast oversimplification and overstatement of the 
problem. It is quite possible to write perfectly safe n-party apps.

> > It is certainly possible to mis-use CORS in insecure ways, but then 
> > it's also possible to mis-use UMP in insecure ways. As far as I can 
> > tell, confused deputy vulnerabilities only occur with CORS if you use 
> > it in inappropriate ways, such as sharing identifiers amongst 
> > different origins without properly validating that they aren't 
> > spoofing each other.
> In the general case, including many common cases, doing this validation 
> is not feasible.

That's nonsense. You have to make sure you don't rely on identifiers to 
confer authority, but that's just a matter of good design.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 12 May 2010 17:39:53 UTC