- From: Dirk Pranke <dpranke@google.com>
- Date: Thu, 13 May 2010 15:39:42 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Wed, May 12, 2010 at 10:02 PM, Ian Hickson <ian@hixie.ch> wrote: > On Wed, 12 May 2010, Tyler Close wrote: >> >> So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable >> to buffer overflows and so CORS is not vulnerable to Confused Deputy. > > Correct. > As some (at least me) might be confused by what you're saying here, are you saying that "C++ isn't vulnerable to buffer overflows, rather *some programs* written in C++ are vulnerable to buffer overflows"? And, hence, some usages of CORS aren't vulnerable to buffer overflows and so you can say that CORS itself is not, either? Or are you saying something stronger, and I'm still not following you? Like MarkM, I perhaps am not understanding the "Web standards" manner of using the word "vulnerable" and so it would be helpful if you could elaborate. To continue the analogy, there is an essential distinction between C++'s vulnerability to buffer overflows and (Java, Python, ML, etc.) total lack of vulnerability. To say that C++ is not subject to buffer overflows but rather individual programs are at fault is to lose sight of that essential distinction. Much as Tyler is attempting to distinguish between APIs that use ambient authority (and hence, are "vulnerable", even if some usages are safe) and APIs where that simply cannot happen. Regardless of the above, I agree 100% that it is more fruitful to focus on actual examples so we can be completely clear about this ... -- Dirk
Received on Thursday, 13 May 2010 22:40:15 UTC