- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 9 Jan 2010 14:23:24 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <w3c@adambarth.com> wrote: >> That's the security model we have. For example, it's safe to return >> untrusted HTML tags with certain media types but not with others. > > Just because the Same Origin Policy is full of bizarre gotchas doesn't > mean the UMP must also be. Using the UMP with permission tokens > eliminates several of the gotchas. I'm taking every opportunity I can > to provide developers with a more reasonable security model. Surely a > security expert must applaud this effort. You're making the security model *weaker* though. Why not make it stronger? Your reaction to a small (i.e., partial) leak of information in one media type is to open the floodgates for leaking all information about all media types. That doesn't make any sense. By way of example, suppose images leaked information about their height and width (which they do!), does that means we should disclose all maner of confidential information stored in HTML documents? >> I'm glad you consider CORS to be the epitome of a secure design. :) > > Does the smiley imply that you don't consider CORS to be a good > example of secure design? My point is more that UMP should be a subset of CORS (which we're selecting based on some principled notions about security). Having the security model for UMP be tighter than CORS in some places and looser than CORS in others doesn't seem like a good idea. Adam
Received on Saturday, 9 January 2010 22:24:18 UTC