[cap-talk] Open Review of the CORS Specification
David-Sarah Hopwood
david-sarah at jacaranda.org
Mon Oct 12 21:41:42 PDT 2009
Mark Miller wrote:
> On Mon, Oct 12, 2009 at 6:12 PM, Doug Schepers <schepers at w3.org> wrote:
>> Hi, Folks-
>>
>> Please allow me to introduce myself: I'm the W3C Team Contact for the
>> WebApps Working group, which is developing the Cross-Origin Resource
>> Sharing (CORS) specification (with which some of you are familiar).
>>
>> It seems that there was some confusion about the details for reviewing
>> that specification, and specifically about the openness of the process.
>> I posted a response which Mark Miller asked me to make public,
>> suggesting that I post it to this list. (Thanks, Mark, for the suggestion.)
>
> Hi Doug, You're welcome. And thanks for posting this.
>
> The old thread has been revived at
> <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0095.html>.
> My main contribution to this thread is at
> <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0126.html>.
> The main criticisms of the relevance of Tyler's example are at
> <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0142.html>
> and <http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0144.html>.
>
> I asked Doug to post his clarification to cap-talk because some of the
> best experts at thinking about access control and confused deputy
> vulnerabilities are here on this list. I sorely miss your voices on
> the w3c side of this debate. To subscribe, send email to
> public-webapps-request at w3.org with the subject "subscribe". Please do
> your part to keep the signal to noise ratio as high as possible.
> Thanks.
>
> Warning: This list can be voluminous. If you find that to be a
> deterrent from participating in discussions of access control, would
> Doug's suggestion #4 below help (make a new public list focused on
> CORS)? If so, please let Doug know.
If I thought that my participation would do much good, then it would be
worth subscribing to public-webapps and putting up with the bandwidth
overload. However, as far as I can see from reading the archives, the
valid objections to CORS (summarized in Tyler's 2009-06-10 post at
<http://waterken.sourceforge.net/recent.html>) have already been put
repeatedly and have never been substantively addressed by its supporters.
The response always seems to be something equally as vague as:
>> There were concerns that the CORS spec might not satisfy all the related
>> security issues; this is true, but we do believe that it solves a useful
>> set of cases, and doesn't introduce additional risk.
which, without actually enumerating the kind of cases that are supposed to
be "solved", does not seem to me to be a substantive technical argument
in favour of CORS at all. In the few cases where anything more specific
has been said about use cases, they appear to be just about creating
another hoop for attackers to jump through, rather than actually
preventing them from doing anything.
It is *not* harmless to add complexity to an already complicated and
poorly understood access control policy and mechanism ("Same Origin") in
a way that does not actually address the deficiencies of that policy and
mechanism.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list