- From: Devdatta <dev.akhawe@gmail.com>
- Date: Tue, 12 Jan 2010 19:12:27 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>, Tyler Close <tyler.close@gmail.com>
> My question, then, is how can a server enjoy the confidentiality > benefits of UMP without paying the security costs of CORS? As > currently specced, a server needs to take all the CORS risks in order > to use UMP. That seems unnecessary. > The page at http://dev.w3.org/2006/waf/UMP/#security clearly mentions that if you want to have confidentiality benefits of UMP you need to ensure that resources you want accessed only by particular principals need to use explicit permission tokens (some nonce I presume). I don't understand how a server that protects all its relevant resources through a nonce/permission token can lose confidentiality or have any "security costs of CORS" just by doing Access-Control-Allow-Origin: * ? Regards Devdatta
Received on Wednesday, 13 January 2010 03:13:21 UTC