Re: CORS from Jack (Zhan, Hua Ping) on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
Date: Thu, 12 Oct 2017 07:26:44 +0800
To: Stefan Zager <szager@google.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAKRyGxs2RWn3omSvnjdXk1MB9BQhAcDk4W0s4t4wW9iqbbJwvA@mail.gmail.com>

Your black list vs. white list is the best reasoning for CORS I have ever seen.

> Your earlier example about a government agency trying to scan evil
> third-party websites is not relevant, and has nothing to do with CORS.
> Indeed, if you were the government employee given the job of implementing
> such a scanning tool, there are certainly many other (better) ways to
> implement it, besides a web page making cross-origin requests.
You misunderstood me. Please read
http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0024.html
or #0014 post again.

What I said is that the government is evil, the government is trying
to use http://evil.com/a.html
to access data from my website： https://bankA.com/ticker/MSFT (which
is public data) and
https://bankA.com/LastTransactionOfISISaccount (which is confidential
data). The bank is not an evil.

Since you are not saying my way has a flow in it, so I do not have to
challenge you. But I really hope Florian and Tab Atkins can accept my
challenge to defeat me.

I want the configurable same origin policy at the browser side（Florian
said I do not want same origin policy which is not right）, what I do
not need is the CORS which is the authorization thing. And I, as the
manager of https://bankA.com/, do not need to delegate the
authorization checking procedure to a remote browser and I believe no
server should trust and delegate the authorization check to the remote
browser. Any server's security relies on that should be defeated
easily, that's a real security hole.

And I believe with my proposal to extend the same origin policy, CORS
thing can retire since it is redundant so useless.

Your black & white list thing is nice. But the link you gave is not
from that perspective, instead saying something that is not really
relevant. Florian Bosch & Tab Atkins seems to suggest with what I
proposed (see the #24 post & #2 post), there is a security issue.
Hence, I hope they can tell me how to stole the confidential data from
my site.


with best regards
Jack

Received on Wednesday, 11 October 2017 23:27:07 UTC