- From: Noah Mendelsohn <nrm@arcanedomain.com>
- Date: Fri, 23 Dec 2011 13:06:04 -0500
- To: "Hill, Brad" <bhill@paypal-inc.com>, Jonathan A Rees <rees@mumble.net>
- CC: Thomas Roessler <tlr@w3.org>, Ashok Malhotra <ashok.malhotra@oracle.com>, "www-tag@w3.org List" <www-tag@w3.org>, Eric Rescorla <ekr@rtfm.com>
Brad: thank you very much, this is very helpful. Jonathan: with the caveat that I still haven't done session scheduling for the F2F, which means we're at risk of having to skip some things, this seems like useful new information to discuss in person. Do you have a little time between now and them to review this to the point where you'd be able to lead a discussion? Again, since there's a risk I won't be able to fit it in, don't put too much time into it without doublechecking with me. Thank you. Noah P.S. Tracker: this relates to TAG ACTION-344 On 12/23/2011 12:39 PM, Hill, Brad wrote: > Sorry to join the discussion late. (thanks for including us, Thomas) > > I've gone back to the Don't Be a Deputy (DBAD) and CORS vs. UMP conversations archived in various places. While I was not a participant at the time and my context is limited, it appears to me the discussions conflated a number of issues, and many have been addressed by the current design of CORS. As co-chair of the new WG now shepherding these specs, I have made a personal appeal to Mark Miller and Tyler Close to bring any remaining issues they have to the us, but haven't received a response. > > The ability of web browsers to be abused as deputies is considerable, and has been for a long time, independent of CORS or XHR. With the restrictions on non-simple methods, I don't believe CORS as currently specified gives qualitatively new or different capabilities to a would-be CSRF attacker. The attacks I find described in the DBAD discussions can be accomplished with cross-origin POSTs from almost the beginnings of the Web. Most don't even need a scriptable user-agent. > > I can understand how the CORS vs. UMP debate *occasioned* a larger discussion about the architecture of the web and ambient authority, but it seems it was a philosophical argument, with CORS as a representative of the status quo, not as a harbinger of new vulnerabilities. The question of cross-origin ambient authority in the user-agent was and remains bigger than and orthogonal to CORS, and one that shouldn't hold it back from going to LC. If a decision is eventually reached that the ambient authority implied by the architecture of the Web must be curtailed, patching user-agents to force "Access-Control-Allow-Credentials: false" will be possibly the smallest and easiest change the community will have to make. > > Brad Hill > Co-chair, WebAppSec WG > > >
Received on Friday, 23 December 2011 18:06:36 UTC