Re: CORS from Jack (Zhan, Hua Ping) on 2017-10-12 (public-webapps@w3.org from October to December 2017)

From: Jack (Zhan, Hua Ping) <jackiszhp@gmail.com>
Date: Thu, 12 Oct 2017 08:29:48 +0800
To: "Tab Atkins Jr." <jackalmage@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAKRyGxuKxBkyMqXy_NX8pr7-pP73PY6vuq8kRDx_vGreHS4_nw@mail.gmail.com>

When you said in
#0015(http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0015.html):
>>>Because the browser cannot automatically tell what page data contains
>>>sensitive information and what doesn't.
seemed to me you suggested there is a flaw in my proposal. By the way
I responded in # 0016 that I do not expect a browser to do that.

Now you said
>*You* might do that, and be safe from evil websites grabbing your customer's personal information.
seems to me that you no longer suggest there is a flaw in my proposal.
May I say that you admit there is no flaw in my proposal?

If you still think what I proposed is flawed, then please try to
defeat me. For your convenience:
Please #24: http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0024.html
or # 0014
not the beginning, but the rear part.

>(As Jake has said, some resources that were linkable in the
> early web, like images, are stuck with #1. Changing them at this point
> would break too much of the web, but as a result we have regular
> security issues.)
According to https://www.linshunghuang.com/papers/css.pdf,
The success of it relies on:
#1. the server did not do authorization check for its "secrete data".
#2. http://evil.com/a.html can inject string into
https://bankA.com/LastTransactionOfISISaccount after the latter is
loaded.

By the way, my point is that CORS should not be adopted from beginning
while the approach I proposed should be adopted.


>why your suggestions for an alternate system would be bad for security and
> won't be accepted by browsers today.
I still did not see why "bad for security", and for adoption, I would
say no web server relies on CORS for authorization check, so  there is
no point to assume the importance of the authorization mechanism
defined by CORS.

As for the term "CORS", I think we had better call it delegation of
resource authorization from web server to web browser.

Since the "close" cross origin approach is adopted, then Mozilla's web
OS concept will be defeated.

with best regards
Jack (Zhan, Hua Ping詹华平)

Received on Thursday, 12 October 2017 00:30:39 UTC