- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 12 May 2010 11:17:57 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, May 12, 2010 at 9:01 AM, Tyler Close <tyler.close@gmail.com> wrote: > On Tue, May 11, 2010 at 5:15 PM, Ian Hickson <ian@hixie.ch> wrote: >> On Tue, 11 May 2010, Tyler Close wrote: >>> >>> CORS introduces subtle but severe Confused Deputy vulnerabilities >> >> I don't think everyone is convinced that this is the case. > > AFAICT, there is consensus that CORS has Confused Deputy > vulnerabilities. I can pull up email quotes from almost everyone > involved in the conversation. > > It is also not a question of opinion, but fact. CORS uses ambient > authority for access control in 3 party scenarios. CORS is therefore > vulnerable to Confused Deputy. First I should note that I have no idea what this argument is trying to result in. Is this an attempt at preventing CORS from going to REC? Or are we just rat holing old discussions? That said, I feel like I don't want to let the above claim go unanswered. Like Ian, I think you are oversimplifying the situation. I would argue that UMP risks resulting in the same confused deputy problems as CORS in the same complex scenarios where CORS risks confused deputy problems. With an UMP based web application it seems like a big risk that people will create APIs like: function fetchResource(uri, successCallback) { req = new UMPOrWhateverWellCallItRequest(); uri += "&securityToken=" + gSecurityToken; req.open("GET", uri); req.send(); req.onload = function() { successCallback(req.responseText) }; } Such code risks suffering from the exact same confused deputy problems as CORS. My concern with UMP is that it takes no responsibility for the security model and instead puts all responsibility on web sites. I'm not convinced this will result in increased security on the web, just the ability for UAs to hide behind arguments like "it's not our fault that the website has a bug". I don't see why we couldn't just give websites the ability to use either security model and stop wasting time reiterating old discussions. / Jonas
Received on Wednesday, 12 May 2010 18:18:52 UTC