Re: [UMP] Feedback on UMP from a quick read from Maciej Stachowiak on 2010-01-10 (public-webapps@w3.org from January to March 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 10 Jan 2010 06:54:28 -0800
To: Tyler Close <tyler.close@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
Message-id: <F32F77E5-88EC-4E7A-A81B-8E43D590BF1C@apple.com>

On Jan 9, 2010, at 1:57 PM, Tyler Close wrote:

> On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <w3c@adambarth.com> wrote:
>
>> (As Maciej says, CORS doesn't appear to have this hole.)
>
> Indeed, I misread the section on simple requests:
>
> http://www.w3.org/TR/access-control/#simple-cross-origin-request0
>
> I didn't realize the algorithm was checking the response headers in
> several different places. I guess that's one of the dangers of an
> algorithmic specification: you must have the whole thing in mind
> before you can make any statements about what it does or does not do.
>
> Given this correction, I'm reconsidering following of non-uniform
> redirects. I still don't like that it makes it look like your example
> design is safe, when in fact there are several non-confidentiality
> problems with it, and using JSON for the final response also breaks
> confidentiality.

Thanks for giving this another look.

>
>> As Maciej says, just because the server can screw up it's
>> confidentiality doesn't means we should prevent servers from doing  
>> the
>> secure thing.  By this argument, we should remove the same-origin
>> policy entirely because some sites might have XSS vulnerabilities.
>
> Deciding to use a popular and standard media-type in its intended
> setting is not at all comparable to filling your site with XSS
> vulnerabilities. I did not read Maciej's email as suggesting
> otherwise.

I don't think I suggested otherwise, nor do I think Adam suggested  
that I suggested otherwise. What I meant to say was that the weak  
confidentiality protection for ECMAScript should not be used as an  
excuse to weaken protection for other resources. This is a leaky and  
awkward hole but it does not justify ignoring more general  
confidentiality concerns in any context.

Adam's analogy was that the widespread existence of XSS bugs is not a  
reason to remove all cross-domain protection either. While it's not a  
100% on-point analogy, I got the point he was making and I recognize  
that it is similar to my own.

Regards,
Maciej

Received on Sunday, 10 January 2010 14:55:02 UTC