- From: Maciej Stachowiak <mjs@apple.com>
- Date: Sun, 10 Jan 2010 06:54:28 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
- Message-id: <F32F77E5-88EC-4E7A-A81B-8E43D590BF1C@apple.com>
On Jan 9, 2010, at 1:57 PM, Tyler Close wrote: > On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <w3c@adambarth.com> wrote: > >> (As Maciej says, CORS doesn't appear to have this hole.) > > Indeed, I misread the section on simple requests: > > http://www.w3.org/TR/access-control/#simple-cross-origin-request0 > > I didn't realize the algorithm was checking the response headers in > several different places. I guess that's one of the dangers of an > algorithmic specification: you must have the whole thing in mind > before you can make any statements about what it does or does not do. > > Given this correction, I'm reconsidering following of non-uniform > redirects. I still don't like that it makes it look like your example > design is safe, when in fact there are several non-confidentiality > problems with it, and using JSON for the final response also breaks > confidentiality. Thanks for giving this another look. > >> As Maciej says, just because the server can screw up it's >> confidentiality doesn't means we should prevent servers from doing >> the >> secure thing. By this argument, we should remove the same-origin >> policy entirely because some sites might have XSS vulnerabilities. > > Deciding to use a popular and standard media-type in its intended > setting is not at all comparable to filling your site with XSS > vulnerabilities. I did not read Maciej's email as suggesting > otherwise. I don't think I suggested otherwise, nor do I think Adam suggested that I suggested otherwise. What I meant to say was that the weak confidentiality protection for ECMAScript should not be used as an excuse to weaken protection for other resources. This is a leaky and awkward hole but it does not justify ignoring more general confidentiality concerns in any context. Adam's analogy was that the widespread existence of XSS bugs is not a reason to remove all cross-domain protection either. While it's not a 100% on-point analogy, I got the point he was making and I recognize that it is similar to my own. Regards, Maciej
Received on Sunday, 10 January 2010 14:55:02 UTC