Re: UMP / CORS: Implementor Interest

Hash: SHA1

On 5/12/2010 11:39 AM, Ian Hickson wrote:
> On Wed, 12 May 2010, Tyler Close wrote:
>> On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <> wrote:
>>> On Tue, 11 May 2010, Tyler Close wrote:
>>>> CORS introduces subtle but severe Confused Deputy vulnerabilities
>>> I don't think everyone is convinced that this is the case.
>> AFAICT, there is consensus that CORS has Confused Deputy
>> vulnerabilities. I can pull up email quotes from almost everyone
>> involved in the conversation.
> There's clearly not complete consensus since at least I disagree.
FWIW, I also disagree that CORS creates inappropriate unconfused
deputy vulnerabilities. CORS provides a totally sufficient pathway for
secure use.

>> It is also not a question of opinion, but fact. CORS uses ambient
>> authority for access control in 3 party scenarios. CORS is therefore
>> vulnerable to Confused Deputy.
> That's like saying that HTML uses markup and is therefore vulnerable to
> markup injection. It's a vast oversimplification and overstatement of the
> problem. It is quite possible to write perfectly safe n-party apps.

Adding to this, saying that CORS uses ambient authority doesn't make
sense, CORS itself can't assign authority, owners of resources assign
authority. Any reasonable usage of CORS by resource owners would not
rely on interpreting headers in a way that assigns ambient authority.

- -- 
Kris Zyp
(503) 806-1841
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -

Received on Wednesday, 12 May 2010 18:04:28 UTC