- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 12 May 2010 13:38:10 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Devdatta <dev.akhawe@gmail.com>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>, Adam Barth <w3c@adambarth.com>
On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote: >> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote: >>> While most of the discussion in this thread is just repeats of >>> previous discussions, I think Tyler makes a good (and new) point in >>> that the current CORS draft still has no mention of the possible >>> security problems that Tyler talks about. The current draft's security >>> section >>> >>> http://dev.w3.org/2006/waf/access-control/#security >>> >>> is ridiculous considering the amount of discussion that has taken >>> place on this issue on this mailing list. >>> >>> Before going to rec, I believe Anne needs to substantially improve >>> this section - based on stuff from maybe Maciej's presentation - which >>> I found really informative. He could also cite UMP as a possible >>> option for those worried about security. >> >> I agree that the security section in CORS needs to be improved. >> >> As for the "should CORS exist" discussion, I'll bow out of those until >> we're starting to move towards officially adopting a WG decision one >> way or another, or genuinely new information is provided which would >> affect such a decision (for the record, I don't think I've seen any >> new information provided since last fall's TPAC). > > A smart guy once told me that "You can't tell people anything", > meaning they have to experience it for themselves before they really > get it. Has Mozilla tried to build anything non-trivial using CORS > where cookies + Origin are the access control mechanism? If so, I'll > do a security review of it and we'll see what we learn. Not to my knowledge, no. I believe we use CORS for tinderboxpushlog [1], however since that is only dealing with public data I don't believe it uses cookies or Origin headers. Feel free to review it anyway. [1] http://tests.themasta.com/tinderboxpushlog/ / Jonas
Received on Wednesday, 12 May 2010 20:39:05 UTC