- From: Kris Zyp <kris@sitepen.com>
- Date: Wed, 12 May 2010 12:02:39 -0600
- To: Ian Hickson <ian@hixie.ch>
- CC: Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/12/2010 11:39 AM, Ian Hickson wrote: > On Wed, 12 May 2010, Tyler Close wrote: >> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote: >>> On Tue, 11 May 2010, Tyler Close wrote: >>>> >>>> CORS introduces subtle but severe Confused Deputy vulnerabilities >>> >>> I don't think everyone is convinced that this is the case. >> >> AFAICT, there is consensus that CORS has Confused Deputy >> vulnerabilities. I can pull up email quotes from almost everyone >> involved in the conversation. > > There's clearly not complete consensus since at least I disagree. > > FWIW, I also disagree that CORS creates inappropriate unconfused deputy vulnerabilities. CORS provides a totally sufficient pathway for secure use. >> It is also not a question of opinion, but fact. CORS uses ambient >> authority for access control in 3 party scenarios. CORS is therefore >> vulnerable to Confused Deputy. > > That's like saying that HTML uses markup and is therefore vulnerable to > markup injection. It's a vast oversimplification and overstatement of the > problem. It is quite possible to write perfectly safe n-party apps. Adding to this, saying that CORS uses ambient authority doesn't make sense, CORS itself can't assign authority, owners of resources assign authority. Any reasonable usage of CORS by resource owners would not rely on interpreting headers in a way that assigns ambient authority. - -- Kris Zyp SitePen (503) 806-1841 http://sitepen.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvq7T4ACgkQ9VpNnHc4zAzPBgCdF5LmRSQ0dJDXUD1D1zbwSpFB p8EAoKAdayHrhHUc11Y4DUtLatxGjwO3 =NBOT -----END PGP SIGNATURE-----
Received on Wednesday, 12 May 2010 18:04:28 UTC