W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [CORS] Security models and confusion about credentials

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 11 Sep 2013 11:25:56 +0100
Message-ID: <CADnb78hyq_7C4keW8h1byaZhBHjg3YkBT-f7Mt9Bef4Qeef3vA@mail.gmail.com>
To: Austin William Wright <aaa@bzfx.net>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Sep 10, 2013 at 11:19 PM, Austin William Wright <aaa@bzfx.net> wrote:
> On Fri, Sep 6, 2013 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> It's not a security hole.
> It may not be in the scope of CORS or WebAppSec to fix for most cases, but I
> nonetheless do describe a security hole, that potentially sensitive
> information may be leaked. We already identified some:

These seem unrelated to CORS.

> Overall, the course of action here would be to raise an issue with the
> appropriate WG.

The things you "identified" cannot be fixed as content relies on them
not being fixed. The way we solve them is by providing sites
additional hooks.

>> The HTML
>> Standard defines the security model of the web, irrespective of what
>> scope or charters have to say about it. As for the HTML WG, it's
>> mostly in the business of copy-and-pasting the HTML Standard.
> Since when?

The former started in 2004, the latter in 2007, or a bit later
depending on how you view things.

> Are these two notes something that can be added?

How does http://www.w3.org/TR/cors/#security not cover this?

Received on Wednesday, 11 September 2013 10:26:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC