Re: comments on Cross-Origin Resource Sharing (CORS) of 3-Apr-2012 (was: hey hey) from =JeffH on 2012-06-29 (public-webappsec@w3.org from June 2012)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Fri, 29 Jun 2012 12:49:05 -0700
To: W3C Web App Security WG <public-webappsec@w3.org>
Message-ID: <4FEE06B1.60501@KingsMountain.com>

Thanks for the feedback Anne,

Anne replied on Mon, 11 Jun 2012 14:02:35 +0200
 >
 > On Wed, 02 May 2012 02:20:26 +0200, =JeffH
 > <Jeff.Hodges@kingsmountain.com> wrote:
 >> The Security Considerations section is situated ahead of the meat of the
 >> spec, which makes it difficult to comprehend unless one skips ahead.
 >
 > This is dealt with in a separate thread.

Hm, I couldn't find (on public-webappsec@) discussion regarding where in the 
CORS spec the sec cons section ought to be placed.

 >> Should perhaps (boldly) define a new term for the notion of "an instance
 >> of an application from a foreign origin, executing in the user agent"
 >>   suggestion: web application client instance
 >
 > Why?

actually, the spec uses the term "client-side web application", which I 
should've caught (sorry), so this is more-or-less addressed.

 >> The examples are set off with the double vertical bar glyph along the
 >> left-hand edge -- however, they are not otherwise denoted explicitly as
 >> examples. <snip/>
 >>
 >>    ||  For example:
 >>    ||
 >>    ||  If a resource author has a simple text resource....
 >>    ||
 >
 > Yeah, I'm waiting for the W3C to establish some kind of style sheet
 > that hooks into the classes.

In the meantime, Hixie is doing the below in the HTML5 spec, which seems 
helpful to the reader...

   ||  For example, if a resource author has a simple text resource....

 >> The spec should define, or reference a definition of..
 >>
 >>   Ambient authority
 >
 > Why? It should be pretty clear from the context what it is about.

The first times I stumbled across that term (here and elsewhere) I found it 
opaque. A link to <https://tools.ietf.org/html/rfc6454#section-8.3> at least 
would be helpful, especially from the CORS Security Considerations section 
because rfc6454 discusses the particular security concerns with it (ambient 
authority) in a web context.

 >> "simple cross-origin request"
 >> -----------------------------
 >>
 >> Perhaps the definition for "simple cross-origin request" should simply
 >> be moved to be step 2 in section "7.1 Cross-Origin Request".
 >
 > If you read the specification from top-to-bottom it is clear enough.

I don't think it's clear enough. There is no all-in-one-place definition, plus 
the spec is hyperlinked and the present hyperlinks don't yield a concise 
definition for the reader. Plus the term figures in the security considerations.

HTH,

=JeffH

Received on Friday, 29 June 2012 19:49:31 UTC