W3C home > Mailing lists > Public > www-tag@w3.org > May 2010

Re: ACTION-340: CORS, UMP and XHR2

From: John Kemp <john@jkemp.net>
Date: Thu, 20 May 2010 12:10:33 -0400
Cc: "www-tag@w3.org WG" <www-tag@w3.org>
Message-Id: <6F8288FD-24A9-4E8A-897B-AB3B3A3143F2@jkemp.net>
To: "Mark S. Miller" <erights@google.com>
Hi Mark,

On May 20, 2010, at 12:00 PM, Mark S. Miller wrote:

> On Thu, May 20, 2010 at 7:57 AM, John Kemp <john@jkemp.net> wrote:
> It should be noted that because UMP suggests a new model, it does not
> yet support the same set of use-cases supported by CORS.
> UMP does support the use cases listed in the CORS doc, and virtually all use cases anyone has thrown at us. Also, CORS does not support many of the use cases supported by UMP. This pair of facts seem worth mentioning.

My statement comes from reading the requirements section of the UMP specification: http://www.w3.org/TR/UMP/#requirements where it says:

"Note: These requirements are taken from the CORS specification. A note indicates those requirements that could not be fully satisfied."

and, for requirement 10 in that list:

"Note: To retain compatibility with deployed implementations, support for POSTs of arbitrary media types is deferred to a future Uniform Messaging Policy, Level Two specification."

Requirements 12, 16 and 17 have similar notes.

I believe that UMP also supports use-cases, and meets requirements _not_ listed in the CORS spec. 

> In summary, both CORS and UMP support cross-domain requests. CORS
> utilizes existing origin- and cookie-based approaches for access
> control, but doesn't completely prevent XSRF/Clickjacking. UMP allows
> the complete prevention of such attacks, but relies upon
> relatively non-standard mechanisms for authenticating cross-site requests in
> order to do so.
> As we explain in the "Security Considerations" of UMP, websites must already use some kind of unguessable token (i.e., the CSRF token) to protect themselves from CSRF anyway. So UMP does not rely on "relatively non-standard mechanisms". Am I missing something?

Are any of the "unguessable token" mechanisms you mention widely supported by websites? If so, which one(s), and by whom are they supported?

> UMP and CORS differ in the use-cases they support.
> The only differences I know of, and that has withstood any scrutiny, are that UMP supports some use cases that CORS does not.

I agree that this is the case, but I also believe that CORS supports some mechanisms that UMP does not, as described above, related to the CORS requirements which are reproduced in the UMP requirements. Please let me know if I have misrepresented the statements in the specification.


- johnk

> Regards,
> - johnk
> [CORS] http://www.w3.org/TR/access-control/
> [UMP] http://www.w3.org/TR/UMP/
> [XHR2] http://www.w3.org/TR/XMLHttpRequest2/
> [SOP] http://en.wikipedia.org/wiki/Same_origin_policy
> [AmbientAuthority] http://en.wikipedia.org/wiki/Ambient_authority
> [CORSChallenge] http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0479.html
> [CORS/UMP] Begins with: http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP
> [UMP/CORS:Implementor Interest] Begins with: http://www.mail-archive.com/public-webapps@w3.org/msg08280.html
> [[UMP] Request for Last Call] http://www.mail-archive.com/public-webapps@w3.org/msg08135.html
> [CrockScript] http://javascript.crockford.com/script.html
> -- 
>     Cheers,
>     --MarkM
Received on Thursday, 20 May 2010 16:11:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:34 UTC