- From: Tyler Close <tyler.close@gmail.com>
- Date: Thu, 14 Jan 2010 09:20:20 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Tue, Jan 12, 2010 at 5:34 PM, Adam Barth <w3c@adambarth.com> wrote: > On Tue, Jan 12, 2010 at 4:24 PM, Mark S. Miller <erights@google.com> wrote: >> The most it can do is ignore such information. It is up to the >> client not to provide such information. It is the job of the standard to >> require the client not to provide it, and to inform server-side authors not >> to expect it. > > Right, but we're working in a threat model where ambient authority is > confusing to servers can causes them to have vulnerabilities. If the > server is smart enough to understand the dangers of ambient authority, > then we don't need UMP. CORS would be sufficient. The client-side requires the UMP restrictions. When a client is about to send off a request, it doesn't yet know whether or not the server will ignore the client's ambient authority. To ensure that it must, the request delivered to the server contains no credentials. On the server-side, a resource implemented to the UMP security model doesn't expect requests to bear credentials, since clients are not expected to send them. There shouldn't be any code branches on the server-side that are conditional upon receiving credentials. Consequently, if a malicious client does send credentials, these have no impact on processing of the request. > On Tue, Jan 12, 2010 at 4:56 PM, Tyler Close <tyler.close@gmail.com> wrote: >> UMP supports confidentiality where client and server desire >> confidentiality. > > My question, then, is how can a server enjoy the confidentiality > benefits of UMP without paying the security costs of CORS? By neither issuing, nor accepting client credentials, so that clients can access the server's resources without being vulnerable to CSRF attacks that would break confidentiality. The confidentiality of a resource can be compromised by a CSRF vulnerability in a legitimate client. A server can avoid this loss of confidentiality by providing its clients a security model that is not vulnerable to CSRF. UMP provides this security model. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Thursday, 14 January 2010 17:20:54 UTC