Re: [CORS] Security models and confusion about credentials

On Tue, Sep 10, 2013 at 11:19 PM, Austin William Wright <aaa@bzfx.net> wrote:
> On Fri, Sep 6, 2013 at 3:47 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> It's not a security hole.
>
> It may not be in the scope of CORS or WebAppSec to fix for most cases, but I
> nonetheless do describe a security hole, that potentially sensitive
> information may be leaked. We already identified some:

These seem unrelated to CORS.


> Overall, the course of action here would be to raise an issue with the
> appropriate WG.

The things you "identified" cannot be fixed as content relies on them
not being fixed. The way we solve them is by providing sites
additional hooks.


>> The HTML
>> Standard defines the security model of the web, irrespective of what
>> scope or charters have to say about it. As for the HTML WG, it's
>> mostly in the business of copy-and-pasting the HTML Standard.
>
> Since when?

The former started in 2004, the latter in 2007, or a bit later
depending on how you view things.


> Are these two notes something that can be added?

How does http://www.w3.org/TR/cors/#security not cover this?


-- 
http://annevankesteren.nl/

Received on Wednesday, 11 September 2013 10:26:23 UTC