Henry,
In my opinion as Chair, there has been broad consensus in the
WebAppSec WG that one of the basic design constraints of
CORS is that introducing CORS features into browsers not create
new security vulnerabilities for existing network deployments.
What you are proposing would have that
On 21 Jul 2012, at 15:02, Eric Rescorla wrote:
Henry,
In my opinion as Chair, there has been broad consensus in the
WebAppSec WG that one of the basic design constraints of
CORS is that introducing CORS features into browsers not create
new security vulnerabilities for existing network
On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote:
Isn't this mitigated by the Origin header?
No.
Could you expand on
On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth w...@adambarth.com wrote:
On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth w...@adambarth.com wrote:
On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote:
On
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote:
So, this is a non-starter. Thanks for all the fish.
That's why we have the current design.
Yes, i note the use of the word current and not final.
On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote:
So, this is a non-starter. Thanks for all the fish.
That's why we have the
On 20 Jul 2012, at 18:59, Adam Barth wrote:
On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote:
So, this is a non-starter.
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote:
Of course, but you seem to want to support hidden legacy systems, that is
systems none of us know about or can see. It is still a worth while inquiry
to find out how many systems there are for which this is a
On 20 Jul 2012, at 21:02, Tab Atkins Jr. wrote:
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote:
Of course, but you seem to want to support hidden legacy systems, that is
systems none of us know about or can see. It is still a worth while inquiry
to find out how
On Fri, 20 Jul 2012, Henry Story wrote:
How many of those would use ip addresses that are not standard private
ip addresses? (Because if they do, then they would not be affected). Of
those that do not, would IPV6 offer them a scheme where they could
easily use standard private ip
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote:
On 20 Jul 2012, at 18:59, Adam Barth wrote:
On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jul 20, 2012 at 4:37
On 21 Jul 2012, at 05:39, Jonas Sicking wrote:
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote:
On 20 Jul 2012, at 18:59, Adam Barth wrote:
On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote:
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth
On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote:
And it is the experience of this being required that led me to build a CORS
proxy [1] - (I am not the first to write one, I add quickly)
Yes, the Origin and unauthenticated CORS restrictions are trivially
circumvented
On 19 Jul 2012, at 14:07, Cameron Jones wrote:
On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote:
And it is the experience of this being required that led me to build a CORS
proxy [1] - (I am not the first to write one, I add quickly)
Yes, the Origin and
On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote:
2. If there is no authentication, then the JS Agent could make the request
via a CORS praxy of its choosing, and so get the content of the resource
anyhow.
Yes, the restriction on performing an unauthenticated GET
On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote:
If a mechanism can be found to apply restrictions for private IP ranges then
that
should be used in preference to forcing the rest of the web to implement CORS
restrictions on public data. And indeed the firewall
On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote:
If a mechanism can be found to apply restrictions for private IP ranges then
that
should be used in preference to forcing the rest of the web
On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote:
Isn't this mitigated by the Origin header?
No.
Also, what about the point that this is unethically pushing the costs
of securing private resources onto public access providers?
It is far more unethical to expose a
On Thu, Jul 19, 2012 at 3:06 PM, Eric Rescorla e...@rtfm.com wrote:
On Thu, Jul 19, 2012 at 6:54 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote:
If a mechanism can be found to apply restrictions for private IP ranges
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote:
On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote:
Isn't this mitigated by the Origin header?
No.
Could you expand on this response, please?
My understanding is that requests generate from XHR
On Wed, 18 Jul 2012, Henry Story wrote:
So my argument is that this restriction could be lifted since
1. GET is indempotent - and should not affect the resource fetched
2. If there is no authentication, then the JS Agent could make the
request via a CORS praxy of its choosing, and so
On 18 Jul 2012, at 05:47, Ian Hickson wrote:
On Wed, 18 Jul 2012, Henry Story wrote:
So my argument is that this restriction could be lifted since
1. GET is indempotent - and should not affect the resource fetched
2. If there is no authentication, then the JS Agent could make the
23 matches
Mail list logo