On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak <[email protected]> wrote: > There seem to be two schools of thought that to some extent inform the > thinking of participants in this discussion: > 1) Try to encourage capability-based mechanisms by not providing anything > that lets you extend the use of origins and cookies. > 2) Try to build on the model that already exists and that we are likely > stuck with, and provide practical ways to mitigate its risks.
My own perspective on this is: 3) In scenarios involving more than 2 parties, the ACL model is inherently vulnerable to CSRF-like problems. So, for cross-origin scenarios, a non-ACL model solution is needed. The above is a purely practical perspective. When writing or auditing code, UM provides a way to eliminate an entire class of attacks. I view it the same way I do moving from C to a memory safe language to avoid buffer overflow and related attacks. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
