[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)

[Adam Barth]

On Fri, Jun 26, 2009 at 2:08 PM, Toby Murray<toby.murray at comlab.ox.ac.uk> wrote:
> OK. So anyone who chooses to incur the cost of proxying can break the
> confidentiality. So the goal must be "confidentiality from all sites on
> the assumption that no site bothers to proxy every request", or
> (equivalently but less jarringly) "confidential from all those sites who
> don't bother to proxy every request".
>
> Is that a fair statement?

I think a helpful way to think about this topic is to ask yourself the
question "would ACME pay for this service?"  In particular, I suspect
ACME would be willing to pay some amount of money to be able to access
Google Finance from the client without having to proxy all the
traffic.  However, they would be unhappy if that meant Bob's Finance
could do the same for free.

> This is fine, but the caveat about proxying should really be stated up
> front I think.
>
> Is this a realistic goal? i.e. is it fair to expect that this goal
> actually aligns with those of people who deploy web services?

There's certainly a lot of interest in CORS and cross-origin
XMLHttpRequest.  Folks hate proxying content.  It's a big pain point
in the web platform.

> Knowing nothing about privacy law (but ploughing ahead anyway --
> apologies), I can't see that this sort of confidentiality would be
> enough to satisfy data protection regulations about the handling of
> private user data, for example. Hence, I feel that using the word
> "confidentiality" here could be dangerous.

I find it helpful to think of security properties as falling into the
categories confidentiality, integrity, and availability.  This is not
a particularly strong notion of confidentiality.

Adam