Re: CORS from Jake Archibald on 2017-10-10 (public-webapps@w3.org from October to December 2017)

From: Jake Archibald <jakearchibald@google.com>
Date: Tue, 10 Oct 2017 16:57:36 +0000
To: Florian Bösch <pyalot@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>, Travis Leithead <travis.leithead@microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAPy=Jor9qeAv0KKTTShjKvc+ANYd-pGnq_U7ycNCzcNbJ+BDkQ@mail.gmail.com>

I can't find any reference to this "Adobe" behaviour.

Flash relied on crossdomain.xml, but that had to be on the origin
containing the requested resource, so 2nd.com in this case.

Adobe's solution is pretty similar to CORS but sets an origin-wide policy,
whereas CORS can be per resource.

On Tue, 10 Oct 2017, 17:21 Florian Bösch, <pyalot@gmail.com> wrote:

> On Tue, Oct 10, 2017 at 5:33 PM, Travis Leithead <
> travis.leithead@microsoft.com> wrote:
>
>> While the Adobe solution you mention below seems OK at first, note that
>> the requestor for permissions is self-granting the permission. In other
>> words, it would be just as easy for: https://evil.com/ to add <meta
>> name="sameOrigin" content="https://popularbank.com" /> and grant
>> permission to itself to access your bank. A self-granting permission model
>> just isn't secure--the permission grant must come from the resource being
>> requested.
>
>
> Was about to point that out. Never heard about Adobes approach, but you'd
> think that overtime Adobe would get security right. Apparently not.
>

Received on Tuesday, 10 October 2017 16:58:41 UTC