Re: widget example of CORS and UMP

On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke <dpranke@chromium.org> wrote:
> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>> There are also more subtle risks to shared secrets. If you are creating your
>> secrets with a bad random number generator, then they will not in fact be
>> unguessable and you have a huge vulnerability. Even security experts can
>> make this mistake, here is an example that impacted a huge number of people:
>> <http://www.debian.org/security/2008/dsa-1571>.
>>
>
> Sure.

Is someone claiming that the CORS cookie solution does not require use
of a random number generator? What's in the cookie and where did it
come from?

Access to a good random number generator is a requirement for either
solution and so is not relevant to this discussion.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Friday, 14 May 2010 18:21:28 UTC