Re: widget example of CORS and UMP from Ojan Vafai on 2010-05-14 (public-webapps@w3.org from April to June 2010)

From: Ojan Vafai <ojan@chromium.org>
Date: Fri, 14 May 2010 12:20:37 -0700
To: Tyler Close <tyler.close@gmail.com>
Cc: Dirk Pranke <dpranke@chromium.org>, Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
Message-ID: <AANLkTilM8NOQgsHHsULV7yJd-Gg5LwzSDNvT1i_hQnQe@mail.gmail.com>

On Fri, May 14, 2010 at 12:00 PM, Tyler Close <tyler.close@gmail.com> wrote:

> On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke <dpranke@chromium.org>
> wrote:
> > You are correct that it is possible to use CORS unsafely. It is possible
> to use
> > UMP unsafely,
>
> Again, that is broken logic. It is possible to write unsafe code in
> C++, but it is also possible to write unsafe code in Java, so there's
> no security difference between the two languages. Please, this
> illogical argument needs to die.

This feels like a legal proceeding. Taken out of context, this sounds
illogical, in the context of the rest of the paragraph Dirk's point makes
perfect sense. In the same way that CORS has security problems, so does UMP.

For example, I don't understand how UMP can ever work with GET requests.
Specifically, how do you deal with users sharing URLs with malicious
parties? Or is that not considered a problem?

Ojan

Received on Friday, 14 May 2010 19:21:26 UTC