[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Adam Barth
cap-talk at adambarth.com
Fri Jun 26 17:29:31 EDT 2009
On Fri, Jun 26, 2009 at 2:25 PM, <ihab.awad at gmail.com> wrote:
> On Fri, Jun 26, 2009 at 2:11 PM, Adam Barth<cap-talk at adambarth.com> wrote:
>> On Fri, Jun 26, 2009 at 2:05 PM, Ben Laurie<benl at google.com> wrote:
>>> Surely we're discussing useful security models?
>> Are you suggesting CORS has no use cases?
>
> To clarify, Ben's remark, as I read it, is simply this:
>
> "Any sufficiently robust model should expose to *any* end-user's
> browser only that information that it would expose to a
> *sophisticated* end-user willing and able to debug the browser and
> behave as an attacker."
Ok, but CORS trivially satisfies that requirement because the barriers
we are bridging only exist on the client. A frame to Google Finance
can already issue an XMLHttpRequest to finance.google.com.
Adam
More information about the cap-talk
mailing list