[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)

Adam Barth cap-talk at adambarth.com
Fri Jun 26 16:44:59 EDT 2009 

On Fri, Jun 26, 2009 at 1:22 PM, Tyler Close<tyler.close at gmail.com> wrote:
> I assume the basic version is the one described at:
>
> http://www.w3.org/mid/7789133a0906242228r2611a382xcafde34f2d003fc7@mail.gmail.com
>
> Is there a concrete definition of the security property being enforced
> in the scenario?

I've elaborated a bit in this thread, but yes, that's the scenario
we're talking about.

> AFAICT, CORS can't prevent EvilAcme Finance from
> displaying stock information originally sourced from Google Finance,
> so it seems we're just counting network round-trips, not enforcing
> access control. Is that right?

Here are the requirements in bullet form:

On Fri, Jun 26, 2009 at 10:02 AM, Adam Barth<cap-talk at adambarth.com> wrote:
> The problem we're trying to solve is this:
>
> 1) Google Finance would like to offer an API to access stock ticker
> information that is usable by other web sites.
> 2) Google Finance would like to restrict which web sites can use the
> API (e.g., to charge a fee, enforce a terms of use, etc.).
> 3) Web sites that access the stock ticker service do not wish to proxy
> the API traffic via their servers.
>
> Non-goals:
>
> A) We're not trying to stop Bob's Finance from accessing the stock
> ticker information from his server (Bob can always do this by browsing
> acme.com).

On Fri, Jun 26, 2009 at 1:22 PM, Tyler Close<tyler.close at gmail.com> wrote:
> So, CORS can fail to enforce access control with fewer round-trips?

Most of what folks would like to do with CORS they can already do with
other technique (albeit less conveniently).  The same is true of
XMLHttpRequest: almost all the uses of XMLHttpRequest on the web today
can be done without the XMLHttpRequest API.  (There are some edge
cases involving methods and headers that require the API, but that
isn't the primary value of the API.)

You're right that defining the security property that Google Finance
wants in this scenario isn't ask simple as "X doesn't learn Y."  The
requirements are more subtle (but quite real).

Adam

More information about the cap-talk mailing list