Re: UMP / CORS: Implementor Interest

Hi Ian,

On May 13, 2010, at 1:02 AM, Ian Hickson wrote:

> On Wed, 12 May 2010, Tyler Close wrote:

[...]

> 
> You are using the word "vulnerable" in a manner inconsistent with its 
> meaning in the Web standards community.

I think the specific vulnerability is that a server is vulnerable to a malicious or incorrectly-configured client passing on a malicious request in any model where the server depends on the client "doing the right thing" with an identifier passed from the malicious request.

[...]

> 
>> It is a strange security model that says the client must completely 
>> validate the request before submitting it.
> 
> It's how all the technologies on the Web so far have been secured. While 
> it may be academically strange, it is the only security model Web authors 
> are familiar with, so to them it isn't strange at all. XSS, XSRF, SQL 
> injection -- all these classes of problems are addressed by validating 
> data in the request before acting on it or passing it on to the next 
> system. You may not like this kind of design, but it's what authors are 
> most used to.

Just because we are used to it, doesn't mean we shouldn't seek to improve the model in order to remove vulnerabilities. Doing so may change the model -- but in ways we all benefit from and appreciate. Removing XSRF and clickjacking from the developer's lexicon seems like a worthy goal - doesn't it?

> 
> 
>> Yes, well, that's what I'm trying to do. By refusing to admit that tools 
>> contribute to bugs in any way, you are doing the opposite.
> 
> To be blunt: browser vendors have said they are implementing CORS, and 
> that UMP isn't enough. Continuing to argue against this isn't working. If 
> you want CORS replaced with something else, you need to find something 
> that will convince browser vendors; repeating your claims that the CORS 
> technology is vulnerable is merely distancing you further from the rest of 
> the working group and is more likely to make any further advice you may 
> have get ignored as well.

The (current) browsers are not the only clients, and both UMP and CORS are attempts to work on the entire Web. The specific vulnerability that is important is whether it is possible for a client to be duped into sending a request on behalf of a malicious server to an unsuspecting server. Should Web servers really have to depend on whether a complex client is written correctly (and not maliciously) in order to ensure that a request from a third-party is authentic? 

Regards,

- johnk

Received on Thursday, 13 May 2010 19:32:38 UTC