[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Dave Chizmadia - Gmail
davechiz at gmail.com
Mon Jul 6 14:19:16 EDT 2009
Adam,
> > Wouldn't it be much simpler for this scenario if Google
> > Finance would provide an API with what Acme Finance
> > could create and manage proxies at google.com to
> > delegate to individual users?
>
> How would this work without leaking Acme Finance cookies/
> passwords to Google? In other words, how could we secure
> such a system against a malicious data provider?
I outlined the basic structure of such an API in
message (albeit, not for the Acme/GoogleFinance problem):
http://www.eros-os.org/pipermail/cap-talk/2009-June/012860.html
However, given that the basic concern in the problem
statement for CORS is accountability rather than one of the
harder protection concerns (confidentiality, integrity,
or availability) it would be easier and more consistent
with existing web architecture to simply use the approach
I suggest in message
http://www.eros-os.org/pipermail/cap-talk/2009-June/012894.html
I go on to explain the principle of this approach using
a physical-world analogy in
http://www.eros-os.org/pipermail/cap-talk/2009-June/012923.html
-DMC
More information about the cap-talk
mailing list