Re: [UMP] Feedback on UMP from a quick read

On Jan 9, 2010, at 7:23 AM, Tyler Close wrote:

>
> If the response can be parsed as ECMAScript, an attacker can break
> confidentiality by loading the document using a <script> tag.

I don't think this is a valid argument for potentially breaking  
confidentiality for content that is not parseable as ECMAScript.  
Browsers consider it a security hole when client-side script can  
access HTML or XML cross-domain  in the same way as JavaScript or CSS.

> Also, for any media-type, the attacker can mount a clickjacking attack
> against this design. Since in general this design cannot be made safe,
> I think it's better to not support it at all in the security model, by
> allowing a uniform request to follow a non-uniform redirect.

It used to be that UMP was a subset of CORS (in the sense that some  
request headers and some processing of allowed responses is removed,  
but otherwise the model is the same). This feature moves us away from  
that. We've also had a proposal for XHR2 to support UMP or a UMP-like  
mode before, but now it seems like the intent is to provide a  
completely separate UniformRequest API. I am concerned that this area  
of work, which started out with the potential to integrate nicely with  
existing specs, is becoming a parallel universe.

> A security model that works for some media-types but not others is  
> just
> too bizarre to explain to developers. This choice doesn't endanger
> existing resources, since CORS also allows a cross-origin request to
> follow a redirect that has not opted out of the Same Origin Policy.

Maybe I'm misreading CORS, but that doesn't seem to be the case. Note  
step 4 here:

http://www.w3.org/TR/access-control/#redirect-steps

Regards,
Maciej

Received on Saturday, 9 January 2010 18:01:42 UTC