Re: [UMP] Server opt-in

> My question, then, is how can a server enjoy the confidentiality
> benefits of UMP without paying the security costs of CORS?  As
> currently specced, a server needs to take all the CORS risks in order
> to use UMP.  That seems unnecessary.
>

The page at http://dev.w3.org/2006/waf/UMP/#security clearly mentions
that if you want to have confidentiality benefits of UMP you need to
ensure that resources you want accessed only by particular principals
need to use explicit permission tokens (some nonce I presume).

I don't understand how a server that protects all its relevant
resources through a nonce/permission token can lose confidentiality or
have any "security costs of CORS" just by doing
Access-Control-Allow-Origin: * ?

Regards
Devdatta

Received on Wednesday, 13 January 2010 03:13:21 UTC