[cap-talk] Open Review of the CORS Specification

Mark Miller erights at gmail.com
Mon Oct 12 19:08:06 PDT 2009

On Mon, Oct 12, 2009 at 6:12 PM, Doug Schepers <schepers at w3.org> wrote:
> Hi, Folks-
> Please allow me to introduce myself: I'm the W3C Team Contact for the
> WebApps Working group, which is developing the Cross-Origin Resource
> Sharing (CORS) specification (with which some of you are familiar).
> It seems that there was some confusion about the details for reviewing
> that specification, and specifically about the openness of the process.
>  I posted a response which Mark Miller asked me to make public,
> suggesting that I post it to this list.  (Thanks, Mark, for the suggestion.)

Hi Doug, You're welcome. And thanks for posting this.

The old thread has been revived at
My main contribution to this thread is at
The main criticisms of the relevance of Tyler's example are at
and <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0144.html>.

I asked Doug to post his clarification to cap-talk because some of the
best experts at thinking about access control and confused deputy
vulnerabilities are here on this list. I sorely miss your voices on
the w3c side of this debate. To subscribe, send email to
public-webapps-request at w3.org with the subject "subscribe". Please do
your part to keep the signal to noise ratio as high as possible.

Warning: This list can be voluminous. If you find that to be a
deterrent from participating in discussions of access control, would
Doug's suggestion #4 below help (make a new public list focused on
CORS)? If so, please let Doug know.

> To summarize:
> There were concerns that the CORS spec might not satisfy all the related
> security issues; this is true, but we do believe that it solves a useful
> set of cases, and doesn't introduce additional risk.
> I suggested that making a diagram of the contextual architecture, with
> considerations for potential attack vectors, might help everyone discuss
> the spec (and related matters) with less confusion, and I've volunteered
> to help create that diagram.
> As with all the WebApps WG specs (and those of most of W3C at this point)...
> 1) CORS is available for review in both its Working Draft [1] and
> Editor's Draft [2] forms at all times by all people
> 2) We welcome technical review by anyone, with particular interest in
> feedback from security experts, and response to such feedback will be
> based on technical merit, not on whether a person is a member of the
> WebApps WG (nor even a Member of W3C)
> 3) The public WebApps WG list, public-webapps at w3.org, is where we do all
> our technical work, and everyone is free to read or post to that list
> 4) If the volume of email on that list is so great as to introduce a
> barrier to participation, we can discuss creating a dedicated mailing
> list for CORS
> 5) We would consider adding an editor to the CORS spec if it's shown
> that the current editor is not responsive to constructive technical
> argument, and if a suitable editor can be found (though I think the
> current editor is doing a pretty good job)
> 6) To reiterate: nobody who wants to contribute to the CORS
> specification has to join the WebApps WG.
> Obviously, we'd love it if companies were to join W3C to participate...
> that's what pays our bills (and my salary), and I believe it's a worthy
> cause (er... the cause being an open forum for development of specs, not
> just my salary), but it's not a prerequisite for active review and
> contribution (though the IPR of contributions is more clear for W3C
> Members, which is another reason we encourage it).
> We've put a lot of energy in the last few years in making W3C an open
> forum for discussion, debate, and decisions on Web technologies, because
> we think it's the right thing for the Web, and it helps our core mission.
> If anyone has any questions or concerns about any of this, let me know.
>  I hope to get thorough review of th CORS spec, because I think it will
> really help move the Web forward, but we need to make sure it's done
> right and meets the needs of the appropriate stakeholders.
> [1] http://www.w3.org/TR/cors/
> [2] http://dev.w3.org/2006/waf/access-control/
> Regards-
> -Doug Schepers
> W3C Team Contact, SVG and WebApps WGs
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list