- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 12 Jan 2010 14:57:36 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 2:47 PM, Tyler Close <tyler.close@gmail.com> wrote: > On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth <w3c@adambarth.com> wrote: >> Let my phrase my question another way. Suppose the following situation: >> >> 1) I'm a server operator and I want to provide a resource to other web sites. >> 2) I've been reading public-webapps and I'm concerned about the >> ambient authority in CORS. >> >> How can I share my resource with other web sites and enjoy the >> security benefits of UMP? > > Follow the advice given in the "Security Considerations" section of > the UMP spec: > > http://dev.w3.org/2006/waf/UMP/#security As a server operator, why can't I follow that advice with CORS? Nothing there seems specific to UMP. I don't understand how UMP is helping server operators deal with the risks of ambient authority. When a server operator makes a resource available via UMP, they're also making it available to CORS with it's attendant security model. Adam
Received on Tuesday, 12 January 2010 22:58:28 UTC