Re: UMP / CORS: Implementor Interest from Adam Barth on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 12 May 2010 16:06:11 -0700
To: Tyler Close <tyler.close@gmail.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Devdatta <dev.akhawe@gmail.com>, Ian Hickson <ian@hixie.ch>, Arthur Barstow <Art.Barstow@nokia.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-ID: <AANLkTikJG9V3CLfkoqjfu0dmyQaENhRffVni3jXjnljg@mail.gmail.com>

On Wed, May 12, 2010 at 3:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
> On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>> On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>>>>> While most of the discussion in this thread is just repeats of
>>>>> previous discussions, I think Tyler makes a good (and new) point in
>>>>> that the current CORS draft still has no mention of the possible
>>>>> security problems that Tyler talks about. The current draft's security
>>>>> section
>>>>>
>>>>> http://dev.w3.org/2006/waf/access-control/#security
>>>>>
>>>>> is ridiculous considering the amount of discussion that has taken
>>>>> place on this issue on this mailing list.
>>>>>
>>>>> Before going to rec, I believe Anne needs to substantially improve
>>>>> this section - based on stuff from maybe Maciej's presentation - which
>>>>> I found really informative. He could also cite UMP as a possible
>>>>> option for those worried about security.
>>>>
>>>> I agree that the security section in CORS needs to be improved.
>>>>
>>>> As for the "should CORS exist" discussion, I'll bow out of those until
>>>> we're starting to move towards officially adopting a WG decision one
>>>> way or another, or genuinely new information is provided which would
>>>> affect such a decision (for the record, I don't think I've seen any
>>>> new information provided since last fall's TPAC).
>>>
>>> A smart guy once told me that "You can't tell people anything",
>>> meaning they have to experience it for themselves before they really
>>> get it. Has Mozilla tried to build anything non-trivial using CORS
>>> where cookies + Origin are the access control mechanism? If so, I'll
>>> do a security review of it and we'll see what we learn.
>>
>> Not to my knowledge, no. I believe we use CORS for tinderboxpushlog
>> [1], however since that is only dealing with public data I don't
>> believe it uses cookies or Origin headers.
>
> Does anyone have something?

At the risk of getting myself involved in this discussion again, you
might consider doing a security analysis of Facebook Chat.  Although
Facebook Chat uses postMessage, it uses both cookies and postMessage's
origin property for authentication, so it might be a system of the
kind you're interested in analyzing.

Adam

Received on Wednesday, 12 May 2010 23:07:07 UTC