- From: Mark S. Miller <erights@google.com>
- Date: Tue, 13 Jul 2010 08:50:26 -0700
- To: art.barstow@nokia.com
- Cc: public-webapps <public-webapps@w3.org>
- Message-ID: <AANLkTinCuXMdcOMJK3XkqDBGpuQEHWtA-5dhCwoQBgkf@mail.gmail.com>
On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow <art.barstow@nokia.com>wrote:
> All,
>
> Anne proposed WebApps publish a new WD of the CORS spec (last published in
> March 2009):
>
> http://dev.w3.org/2006/waf/access-control/
>
> If you have any comments or concerns about this proposal, please send them
> to public-webapps by July 20 at the latest.
>
> As with all of our CfCs, positive response is preferred and encouraged and
> silence will be assumed to be assent.
>
> -Art Barstow
>
Hi Art,
Just a reminder that the Security Consider sections <
http://dev.w3.org/2006/waf/access-control/#security> needs to say more. Our
last discussion of it at <
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0709.html>
left the issue with:
> For example, will the Security Considerations
> section of CORS have to say:
>
> "It is not safe in CORS to make a GET request for public data using a
> URL obtained from a possibly malicious party. Validating the URL
> requires global knowledge of all origins that might grant special
> access to the requestor's origin, and so return private user data."
Yes, one would imagine saying something quite similar to that.
[...]
I am attempting to highlight that neither solution is a panacea, and
that you need to be aware of the limitations of either approach. The
UMP "Security Considerations" section has a long list of SHOULDs that
need to be followed in order for the approach to be secure, just as
the HTTP-State draft does, and just as the CORS spec should.
Has anyone been working towards a revised Security Considerations section?
--
Cheers,
--MarkM
Received on Tuesday, 13 July 2010 15:51:06 UTC