On Jan 9, 2010, at 1:57 PM, Tyler Close wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
(As Maciej says, CORS doesn't appear to have this hole.)
Indeed, I misread the section on simple requests:
http://www.w3.org/TR/access-control/#simple-cross-origin-request0
On Sun, Jan 10, 2010 at 6:54 AM, Maciej Stachowiak m...@apple.com wrote:
What I meant to say was that the weak confidentiality
protection for ECMAScript should not be used as an excuse to weaken
protection for other resources.
And I was never proposing to weaken existing protection for other
On Fri, Jan 8, 2010 at 4:56 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jan 8, 2010 at 4:43 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, Jan 8, 2010 at 3:56 PM, Adam Barth w...@adambarth.com wrote:
[... Requiring uniform responses to redirects ...]
It's a good thing to question,
On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close tyler.cl...@gmail.com wrote:
If the response can be parsed as ECMAScript, an attacker can break
confidentiality by loading the document using a script tag.
As Maciej says, just because the server can screw up it's
confidentiality doesn't means we
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth w...@adambarth.com wrote:
What happens with Set-Cookie headers included in uniform responses?
It seems like we ought to ignore them based on the principle that UMP
requests are
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close tyler.cl...@gmail.com wrote:
Since in general this design cannot be made safe,
I think it's better to not support it at all in the security model, by
allowing a uniform request to
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
That's the security model we have. For example, it's safe to return
untrusted HTML tags with certain media types but not with others.
Just because
On Sat, Jan 9, 2010 at 2:23 PM, Adam Barth w...@adambarth.com wrote:
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
That's the security model we have. For example, it's safe to return
untrusted
On Sat, Jan 9, 2010 at 2:39 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sat, Jan 9, 2010 at 2:23 PM, Adam Barth w...@adambarth.com wrote:
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
That's
[[
In particular, the user agent should not add the HTTP headers:
User-Agent, Accept, Accept-Language, Accept-Encoding, or
Accept-Charset
]]
This seems a bit overly constrictive. Maybe we should send Accept: */*, etc?
More generally, I suspect the requirements in Section 3.2 violate
various
One more question: the draft doesn't seem to provide any way to
generate a uniform request. Are we planning to have another
specification for an API for generating these requests?
Adam
On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth w...@adambarth.com wrote:
[[
In particular, the user agent
On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth w...@adambarth.com wrote:
[[
In particular, the user agent should not add the HTTP headers:
User-Agent, Accept, Accept-Language, Accept-Encoding, or
Accept-Charset
]]
This seems a bit overly constrictive. Maybe we should send Accept: */*,
etc?
On Fri, Jan 8, 2010 at 2:53 PM, Adam Barth w...@adambarth.com wrote:
One more question: the draft doesn't seem to provide any way to
generate a uniform request. Are we planning to have another
specification for an API for generating these requests?
Similar to CORS, UMP is just the security
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close tyler.cl...@gmail.com wrote:
There are two uses for this requirement:
1. On browsers that don't yet support any cross-domain API, it would
be nice to emulate support by routing the request through the
requestor's Origin server. To help ensure the
On Fri, Jan 8, 2010 at 3:56 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close tyler.cl...@gmail.com wrote:
There are two uses for this requirement:
1. On browsers that don't yet support any cross-domain API, it would
be nice to emulate support by routing the
On Fri, Jan 8, 2010 at 4:43 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, Jan 8, 2010 at 3:56 PM, Adam Barth w...@adambarth.com wrote:
[... Requiring uniform responses to redirects ...]
It's a good thing to question, since this feature is a
relaxation of the model, but it seems valuable
16 matches
Mail list logo