Re: [UMP] Server opt-in

On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Jan 12, 2010 at 2:19 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth <abarth@webkit.org> wrote:
>>> In the current draft of UMP, the client can opt-in to UMP by choosing
>>> to use the UniformMessaging API, but the server is unable to force
>>> clients to use UMP because the way the server opts into the protocol
>>> is by returning the Access-Control-Allow-Origin header.
>>> Unfortunately, when the server returns the Access-Control-Allow-Origin
>>> header, the server also opts into the CORS and XDomainRequest
>>> protocols.  The server operator might be reticent to opt into these
>>> protocols if he or she is worried about ambient authority.
>>>
>>> I recommend using a new header, like "Allow-Uniform-Messages: level-1"
>>> so that servers can opt into UMP specifically.
>>
>> I believe all three protocols attach the same semantics to the
>> "Access-Control-Allow-Origin: *" response header sent in response to a
>> GET or POST request. Unless you know of a significant difference in
>> the semantics, breaking compatibility seems unwarranted.
>
> Let my phrase my question another way.  Suppose the following situation:
>
> 1) I'm a server operator and I want to provide a resource to other web sites.
> 2) I've been reading public-webapps and I'm concerned about the
> ambient authority in CORS.
>
> How can I share my resource with other web sites and enjoy the
> security benefits of UMP?

Follow the advice given in the "Security Considerations" section of
the UMP spec:

http://dev.w3.org/2006/waf/UMP/#security

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Tuesday, 12 January 2010 22:48:13 UTC