On Wed, May 12, 2010 at 1:38 PM, Jonas Sicking <[email protected]> wrote: > On Wed, May 12, 2010 at 1:31 PM, Tyler Close <[email protected]> wrote: >> On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking <[email protected]> wrote: >>> On Wed, May 12, 2010 at 12:38 PM, Devdatta <[email protected]> wrote: >>>> While most of the discussion in this thread is just repeats of >>>> previous discussions, I think Tyler makes a good (and new) point in >>>> that the current CORS draft still has no mention of the possible >>>> security problems that Tyler talks about. The current draft's security >>>> section >>>> >>>> http://dev.w3.org/2006/waf/access-control/#security >>>> >>>> is ridiculous considering the amount of discussion that has taken >>>> place on this issue on this mailing list. >>>> >>>> Before going to rec, I believe Anne needs to substantially improve >>>> this section - based on stuff from maybe Maciej's presentation - which >>>> I found really informative. He could also cite UMP as a possible >>>> option for those worried about security. >>> >>> I agree that the security section in CORS needs to be improved. >>> >>> As for the "should CORS exist" discussion, I'll bow out of those until >>> we're starting to move towards officially adopting a WG decision one >>> way or another, or genuinely new information is provided which would >>> affect such a decision (for the record, I don't think I've seen any >>> new information provided since last fall's TPAC). >> >> A smart guy once told me that "You can't tell people anything", >> meaning they have to experience it for themselves before they really >> get it. Has Mozilla tried to build anything non-trivial using CORS >> where cookies + Origin are the access control mechanism? If so, I'll >> do a security review of it and we'll see what we learn. > > Not to my knowledge, no. I believe we use CORS for tinderboxpushlog > [1], however since that is only dealing with public data I don't > believe it uses cookies or Origin headers.
Does anyone have something? --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
