Re: UMP / CORS: Implementor Interest

On Wed, May 12, 2010 at 4:45 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Wed, May 12, 2010 at 4:38 PM, Dirk Pranke <dpranke@google.com> wrote:
>> On Wed, May 12, 2010 at 4:06 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> On Wed, May 12, 2010 at 3:16 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>> On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>>> On Wed, May 12, 2010 at 1:31 PM, Tyler Close <tyler.close@gmail.com> wrote:
>>>>>> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <jonas@sicking.cc> wrote:
>>>>>>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <dev.akhawe@gmail.com> wrote:
>>>>>>>> While most of the discussion in this thread is just repeats of
>>>>>>>> previous discussions, I think Tyler makes a good (and new) point in
>>>>>>>> that the current CORS draft still has no mention of the possible
>>>>>>>> security problems that Tyler talks about. The current draft's security
>>>>>>>> section
>>>>>>>>
>>>>>>>> http://dev.w3.org/2006/waf/access-control/#security
>>>>>>>>
>>>>>>>> is ridiculous considering the amount of discussion that has taken
>>>>>>>> place on this issue on this mailing list.
>>>>>>>>
>>>>>>>> Before going to rec, I believe Anne needs to substantially improve
>>>>>>>> this section - based on stuff from maybe Maciej's presentation - which
>>>>>>>> I found really informative. He could also cite UMP as a possible
>>>>>>>> option for those worried about security.
>>>>>>>
>>>>>>> I agree that the security section in CORS needs to be improved.
>>>>>>>
>>>>>>> As for the "should CORS exist" discussion, I'll bow out of those until
>>>>>>> we're starting to move towards officially adopting a WG decision one
>>>>>>> way or another, or genuinely new information is provided which would
>>>>>>> affect such a decision (for the record, I don't think I've seen any
>>>>>>> new information provided since last fall's TPAC).
>>>>>>
>>>>>> A smart guy once told me that "You can't tell people anything",
>>>>>> meaning they have to experience it for themselves before they really
>>>>>> get it. Has Mozilla tried to build anything non-trivial using CORS
>>>>>> where cookies + Origin are the access control mechanism? If so, I'll
>>>>>> do a security review of it and we'll see what we learn.
>>>>>
>>>>> Not to my knowledge, no. I believe we use CORS for tinderboxpushlog
>>>>> [1], however since that is only dealing with public data I don't
>>>>> believe it uses cookies or Origin headers.
>>>>
>>>> Does anyone have something?
>>>
>>> At the risk of getting myself involved in this discussion again, you
>>> might consider doing a security analysis of Facebook Chat.  Although
>>> Facebook Chat uses postMessage, it uses both cookies and postMessage's
>>> origin property for authentication, so it might be a system of the
>>> kind you're interested in analyzing.
>>>
>>
>> I think (although I'm not certain) that Tyler is asking partially to
>> figure out where a non-anonymous CORS request is used in the real
>> world. If he isn't, then I am :)
>>
>> Given that a major (but not the only) claim of the need to adopt CORS
>> with support for cookies and the Origin header is that it is in fact
>> already implemented and shipping, it would be good to see how it's
>> being used. If we can't find any examples of it being used (in the
>> non-anonymous case, at least), then the argument against us having to
>> keep it would hold less water. If we can find it being used, then we
>> can see both how we would handle the case with UMP, and whether or not
>> the CORS usage is in fact secure.
>
> Oh, I misunderstood.  I thought he wanted to do a security review to
> show that there was a confused deputy causing problems.
>

I think that's part of the same thing (the "whether or not the CORS
usage is in fact secure part" of my note).

-- Dirk

Received on Wednesday, 12 May 2010 23:53:51 UTC