- From: Tyler Close <tyler.close@gmail.com>
- Date: Sun, 10 Jan 2010 14:54:17 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-webapps <public-webapps@w3.org>
On Sun, Jan 10, 2010 at 6:54 AM, Maciej Stachowiak <mjs@apple.com> wrote: > What I meant to say was that the weak confidentiality > protection for ECMAScript should not be used as an excuse to weaken > protection for other resources. And I was never proposing to weaken existing protection for other resources. My reasoning rested on two points: 1. I thought this redirect behavior was the CORS defined behavior. 2. Even if it's not, this WG is currently defining the security model for newly allowed cross-domain requests. It's reasonable to say that if you refer to a resource using a guessable URL and respond to a uniform GET request with a response marked as accessible by any origin, then there's no confidentiality. This rule has no impact on the security of existing resources, since they don't yet have a Same Origin Policy opt-out header. This rule has the advantage of covering up the bizarre Same Origin Policy handling of ECMAScript data, thus eliminating a dangerous security gotcha for developers. It's bad when developers think they've implemented a design that provides confidentiality, and that turns out not to be true. We should be trying for a simple set of rules that yield easily predictable results. > This is a leaky and awkward hole but it does > not justify ignoring more general confidentiality concerns in any context. Again, I wasn't doing that. I was looking at one very specific context that doesn't even exist yet, because we're currently defining it. > Adam's analogy was that the widespread existence of XSS bugs is not a reason > to remove all cross-domain protection either. That would be an extremely foolish thing to propose. I don't think I was being extremely foolish. The analogy is a poor one. > While it's not a 100% on-point > analogy, I got the point he was making and I recognize that it is similar to > my own. In that case, please consider the argument I present at the top of this email. The proposal is different from what you've understood. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Sunday, 10 January 2010 22:54:50 UTC