W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [CORS] Security models and confusion about credentials

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 6 Sep 2013 11:47:13 +0100
Message-ID: <CADnb78hqe+RPCHw5_K_EDYfgUSJAm0qSmmGRDn9Gr5X5SftsEA@mail.gmail.com>
To: Austin William Wright <aaa@bzfx.net>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Thu, Sep 5, 2013 at 7:37 PM, Austin William Wright <aaa@bzfx.net> wrote:
> But on the topic of user agents, the solution isn't any different than any
> other security hole. It doesn't matter how long the hole has been around,
> you _fix it_. Security is more important than reverse compatibility,
> efficiency, or any other concern.

It's not a security hole.

>> Aside: The web security model is defined by HTML:
>> http://www.whatwg.org/C Extracting it from there requires lengthy
>> detailed reading though. This document contains a high-level overview
>> of some of the concepts and legacy artifacts:
>> https://tools.ietf.org/html/rfc6454
> RFC 6454 isn't marked as obsolete?

It's not obsolete (yet).

> I don't believe HTML can
> normatively define scripting-related concerns any more than it could
> re-define HTTP (it doesn't appear that's in-scope anyways, by the HTML WG
> charter).

If you believe that's how things work I cannot help you. The HTML
Standard defines the security model of the web, irrespective of what
scope or charters have to say about it. As for the HTML WG, it's
mostly in the business of copy-and-pasting the HTML Standard.

Received on Friday, 6 September 2013 10:47:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC