Re: [UMP] Feedback on UMP from a quick read

On Jan 9, 2010, at 1:57 PM, Tyler Close wrote:

> On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <> wrote:
>> (As Maciej says, CORS doesn't appear to have this hole.)
> Indeed, I misread the section on simple requests:
> I didn't realize the algorithm was checking the response headers in
> several different places. I guess that's one of the dangers of an
> algorithmic specification: you must have the whole thing in mind
> before you can make any statements about what it does or does not do.
> Given this correction, I'm reconsidering following of non-uniform
> redirects. I still don't like that it makes it look like your example
> design is safe, when in fact there are several non-confidentiality
> problems with it, and using JSON for the final response also breaks
> confidentiality.

Thanks for giving this another look.

>> As Maciej says, just because the server can screw up it's
>> confidentiality doesn't means we should prevent servers from doing  
>> the
>> secure thing.  By this argument, we should remove the same-origin
>> policy entirely because some sites might have XSS vulnerabilities.
> Deciding to use a popular and standard media-type in its intended
> setting is not at all comparable to filling your site with XSS
> vulnerabilities. I did not read Maciej's email as suggesting
> otherwise.

I don't think I suggested otherwise, nor do I think Adam suggested  
that I suggested otherwise. What I meant to say was that the weak  
confidentiality protection for ECMAScript should not be used as an  
excuse to weaken protection for other resources. This is a leaky and  
awkward hole but it does not justify ignoring more general  
confidentiality concerns in any context.

Adam's analogy was that the widespread existence of XSS bugs is not a  
reason to remove all cross-domain protection either. While it's not a  
100% on-point analogy, I got the point he was making and I recognize  
that it is similar to my own.


Received on Sunday, 10 January 2010 14:55:02 UTC