[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Tyler Close
tyler.close at gmail.com
Fri Jun 26 16:22:52 EDT 2009
On Fri, Jun 26, 2009 at 10:03 AM, Adam Barth<cap-talk at adambarth.com> wrote:
> On Fri, Jun 26, 2009 at 9:33 AM, Rob Meijer<capibara at xs4all.nl> wrote:
>> Wouldn't making this argument be much less relevant than the argument of
>> solving a much more generic version of the problem?
>
> It's wonderful if you can solve a more general version of the problem,
> but I'd like to see how to solve the basic version first.
I assume the basic version is the one described at:
http://www.w3.org/mid/7789133a0906242228r2611a382xcafde34f2d003fc7@mail.gmail.com
Is there a concrete definition of the security property being enforced
in the scenario? AFAICT, CORS can't prevent EvilAcme Finance from
displaying stock information originally sourced from Google Finance,
so it seems we're just counting network round-trips, not enforcing
access control. Is that right? So, CORS can fail to enforce access
control with fewer round-trips?
--Tyler
--
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
More information about the cap-talk
mailing list