[cap-talk] Open Review of the CORS Specification

Mark Miller erights at gmail.com
Mon Oct 12 19:08:06 PDT 2009


On Mon, Oct 12, 2009 at 6:12 PM, Doug Schepers <schepers at w3.org> wrote:
> Hi, Folks-
>
> Please allow me to introduce myself: I'm the W3C Team Contact for the
> WebApps Working group, which is developing the Cross-Origin Resource
> Sharing (CORS) specification (with which some of you are familiar).
>
> It seems that there was some confusion about the details for reviewing
> that specification, and specifically about the openness of the process.
>  I posted a response which Mark Miller asked me to make public,
> suggesting that I post it to this list.  (Thanks, Mark, for the suggestion.)

Hi Doug, You're welcome. And thanks for posting this.

The old thread has been revived at
<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0095.html>.
My main contribution to this thread is at
<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0126.html>.
The main criticisms of the relevance of Tyler's example are at
<http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0142.html>
and <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0144.html>.

I asked Doug to post his clarification to cap-talk because some of the
best experts at thinking about access control and confused deputy
vulnerabilities are here on this list. I sorely miss your voices on
the w3c side of this debate. To subscribe, send email to
public-webapps-request at w3.org with the subject "subscribe". Please do
your part to keep the signal to noise ratio as high as possible.
Thanks.

Warning: This list can be voluminous. If you find that to be a
deterrent from participating in discussions of access control, would
Doug's suggestion #4 below help (make a new public list focused on
CORS)? If so, please let Doug know.



> To summarize:
>
> There were concerns that the CORS spec might not satisfy all the related
> security issues; this is true, but we do believe that it solves a useful
> set of cases, and doesn't introduce additional risk.
>
> I suggested that making a diagram of the contextual architecture, with
> considerations for potential attack vectors, might help everyone discuss
> the spec (and related matters) with less confusion, and I've volunteered
> to help create that diagram.
>
> As with all the WebApps WG specs (and those of most of W3C at this point)...
>
> 1) CORS is available for review in both its Working Draft [1] and
> Editor's Draft [2] forms at all times by all people
>
> 2) We welcome technical review by anyone, with particular interest in
> feedback from security experts, and response to such feedback will be
> based on technical merit, not on whether a person is a member of the
> WebApps WG (nor even a Member of W3C)
>
> 3) The public WebApps WG list, public-webapps at w3.org, is where we do all
> our technical work, and everyone is free to read or post to that list
>
> 4) If the volume of email on that list is so great as to introduce a
> barrier to participation, we can discuss creating a dedicated mailing
> list for CORS
>
> 5) We would consider adding an editor to the CORS spec if it's shown
> that the current editor is not responsive to constructive technical
> argument, and if a suitable editor can be found (though I think the
> current editor is doing a pretty good job)
>
> 6) To reiterate: nobody who wants to contribute to the CORS
> specification has to join the WebApps WG.
>
>
> Obviously, we'd love it if companies were to join W3C to participate...
> that's what pays our bills (and my salary), and I believe it's a worthy
> cause (er... the cause being an open forum for development of specs, not
> just my salary), but it's not a prerequisite for active review and
> contribution (though the IPR of contributions is more clear for W3C
> Members, which is another reason we encourage it).
>
> We've put a lot of energy in the last few years in making W3C an open
> forum for discussion, debate, and decisions on Web technologies, because
> we think it's the right thing for the Web, and it helps our core mission.
>
> If anyone has any questions or concerns about any of this, let me know.
>  I hope to get thorough review of th CORS spec, because I think it will
> really help move the Web forward, but we need to make sure it's done
> right and meets the needs of the appropriate stakeholders.
>
> [1] http://www.w3.org/TR/cors/
> [2] http://dev.w3.org/2006/waf/access-control/
>
> Regards-
> -Doug Schepers
> W3C Team Contact, SVG and WebApps WGs
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>



-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM


More information about the cap-talk mailing list