Re: UMP / CORS: Implementor Interest

On Wed, May 12, 2010 at 10:02 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Wed, 12 May 2010, Tyler Close wrote:
>>
>> So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable
>> to buffer overflows and so CORS is not vulnerable to Confused Deputy.
>
> Correct.
>

As some (at least me) might be confused by what you're saying here,
are you saying that "C++ isn't vulnerable to buffer overflows, rather
*some programs* written in C++ are vulnerable to buffer overflows"?
And, hence, some usages of CORS aren't vulnerable to buffer overflows
and so you can say that CORS itself is not, either? Or are you saying
something stronger, and I'm still not following you?

Like MarkM, I perhaps am not understanding the "Web standards" manner
of using the word "vulnerable" and so it would be helpful if you could
elaborate.

To continue the analogy, there is an essential distinction between
C++'s vulnerability to buffer overflows and (Java, Python, ML, etc.)
total lack of vulnerability. To say that C++ is not subject to buffer
overflows but rather individual programs are at fault is to lose sight
of that essential distinction. Much as Tyler is attempting to
distinguish between APIs that use ambient authority (and hence, are
"vulnerable", even if some usages are safe) and APIs where that simply
cannot happen.

Regardless of the above, I agree 100% that it is more fruitful to
focus on actual examples so we can be completely clear about this ...

-- Dirk

Received on Thursday, 13 May 2010 22:40:15 UTC