On Tue, 22 Dec 2009 02:48:42 +0100, Kenton Varda ken...@google.com wrote:
It *is* a problem today with XMLHttpRequest. This is, for example, one
reason why we cannot host arbitrary HTML documents uploaded by users on
google.com -- a rather large inconvenience! If it were feasible, we'd be
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also applies to all embedding that the page renderer does. So it also
covers img, video, etc. In addition to the
On Mon, 21 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also applies to all embedding that the page renderer does. So it also
On Mon, Dec 21, 2009 at 2:16 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 21 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also
On Mon, 21 Dec 2009, Tyler Close wrote:
No, there is a difference in access-control between the two designs.
In the two header design:
1) An XHR GET of the XBL file data by example.org *is* allowed.
2) An xbl import of the XBL data by example.org triggers a rendering error.
That's a bad
On Mon, Dec 21, 2009 at 2:39 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 21 Dec 2009, Tyler Close wrote:
No, there is a difference in access-control between the two designs.
In the two header design:
1) An XHR GET of the XBL file data by example.org *is* allowed.
2) An xbl import of the
On Mon, 21 Dec 2009, Tyler Close wrote:
On Mon, Dec 21, 2009 at 2:39 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 21 Dec 2009, Tyler Close wrote:
No, there is a difference in access-control between the two designs.
In the two header design:
1) An XHR GET of the XBL file data by
On Mon, Dec 21, 2009 at 5:35 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 21, 2009 at 5:17 PM, Kenton Varda ken...@google.com wrote:
The problem we're getting at is that CORS is being presented as a
security
mechanism, when in fact it does not provide security. Yes, CORS is
On Thu, 17 Dec 2009, Kenton Varda wrote:
With the right capability-based infrastructure, the capability-based
solution would be trivial too. We don't have this infrastructure.
This is a valid concern.
It's not so much that we don't have one, so much as nobody is proposing
one... I'd be
On Fri, Dec 18, 2009 at 12:04 AM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Kenton Varda wrote:
With the right capability-based infrastructure, the capability-based
solution would be trivial too. We don't have this infrastructure.
This is a valid concern.
It's not so much
On Fri, 18 Dec 2009, Kenton Varda wrote:
If you're saying that a caps-based infrastructure would have
insoluable problems, then that makes it a non-starter.
No, I think all the problems are solvable, but the time we might spend
debating them is unbounded.
If the time it takes to
Somehow I suspect all this has been said many times before...
On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com wrote:
CORS would provide at least two benefits, using the exact protocol you'd
use with UM:
1) It lets you know what site is sending the request; with UM there is
On Dec 17, 2009, at 1:42 AM, Kenton Varda wrote:
Somehow I suspect all this has been said many times before...
On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com
wrote:
CORS would provide at least two benefits, using the exact protocol
you'd use with UM:
1) It lets you
On Wed, 16 Dec 2009, Devdatta wrote:
hmm.. just a XDR GET on the file at hixie.ch which allows access only if
the request is from damowmow.com ?
It couldn't be XDR -- XDR is a script-based mechanism, whereas XBL can be
invoked before the root element is parsed. But even assuming the XDR
On Thu, Dec 17, 2009 at 2:21 AM, Maciej Stachowiak m...@apple.com wrote:
On Dec 17, 2009, at 1:42 AM, Kenton Varda wrote:
Somehow I suspect all this has been said many times before...
On Wed, Dec 16, 2009 at 11:45 PM, Maciej Stachowiak m...@apple.com wrote:
CORS would provide at least two
On Thu, 17 Dec 2009, Kenton Varda wrote:
OK, I'm sure that this has been said before, because it is critical to
the capability argument:
If Bob can access the data, and Bob can talk to Charlie *in any way at
all*, then it *is not possible* to prevent Bob from granting access to
On Thu, Dec 17, 2009 at 10:08 AM, Maciej Stachowiak m...@apple.com wrote:
My goal was merely to argue that adding an origin/cookie check to a
secret-token-based mechanism adds meaningful defense in depth, compared to
just using any of the proposed protocols over UM. I believe my argument
On Thu, Dec 17, 2009 at 10:08 AM, Maciej Stachowiak m...@apple.com wrote:
On Dec 17, 2009, at 9:15 AM, Kenton Varda wrote:
On Thu, Dec 17, 2009 at 2:21 AM, Maciej Stachowiak m...@apple.com wrote:
I'm not saying that Alice should be restricted in who she shares the feed
with. Just that
On Thu, 17 Dec 2009, Kenton Varda wrote:
It seems more useful to attribute resource usage to the user rather than
to the sites the user uses to access those resources. In my example, I
might want to limit Alice to, say, 1GB data transfer per month, but I
don't see why I would care if that
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can
use a particular resource is bandwidth management. For example,
resources.example.com might want to allow *.example.com to use its XBL
files, but not allow anyone else to
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can use a particular
resource is bandwidth management. For example, resources.example.com
might want to allow *.example.com to use its
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can use a particular
resource is bandwidth management. For example,
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can use a
particular
On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson i...@hixie.ch wrote:
With CORS, I can trivially (one line in the .htaccess file for my site)
make sure that no sites can use XBL files from my site other than my
sites. My sites don't do any per-user tracking; doing that would involve
orders of
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote:
What one liner are your proposing that would solve the problem for XBL,
XML data, videos, etc, all at once?
Are we debating about the state of existing infrastructure, or theoretically
ideal infrastructure? Honest question.
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the
On Thu, 17 Dec 2009, Kenton Varda wrote:
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote:
What one liner are your proposing that would solve the problem for
XBL, XML data, videos, etc, all at once?
Are we debating about the state of existing infrastructure, or
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also applies to all embedding that the page renderer does. So it also
covers img, video, etc. In addition to the current values, the
header can also list hostname patterns that may
On Thu, 17 Dec 2009, Kenton Varda wrote:
On Thu, Dec 17, 2009 at 12:58 PM, Ian Hickson i...@hixie.ch wrote:
With CORS, I can trivially (one line in the .htaccess file for my
site) make sure that no sites can use XBL files from my site other
than my sites. My sites don't do any per-user
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
X-FRAME-OPTIONS: *.example.com
Access-Control-Allow-Origin: *
Why is this better than:
Access-Control-Allow-Origin: *.example.com
...?
I think Tyler missed on this one.
Without the benefit of full context (I only started following this list
recently), I'd like cautiously to suggest that the UM solution to Ian's
challenge seems awkward because the challenge is itself a poor design, and
UM tends to be more difficult to work with when used to implement designs
that
On Wed, 16 Dec 2009, Kenton Varda wrote:
Without the benefit of full context (I only started following this list
recently), I'd like cautiously to suggest that the UM solution to Ian's
challenge seems awkward because the challenge is itself a poor design,
and UM tends to be more difficult
On Wed, Dec 16, 2009 at 9:25 PM, Ian Hickson i...@hixie.ch wrote:
A concrete example of the example I was talking about is Google's Finance
GData API. There's a fixed URL on A (Google's site) that represents my
finance information. There's a site B (my portal page) that is hard-coded
to fetch
Another example would be an XBL binding file on hixie.ch that is
accessible only to pages on damowmow.com. With CORS I can do this with one
line in my .htaccess file. I don't see how to do it at all with UM.
Seems to me that these examples can just as easily be done with IE's
XDomainRequest.
On Wed, 16 Dec 2009, Devdatta wrote:
Another example would be an XBL binding file on hixie.ch that is
accessible only to pages on damowmow.com. With CORS I can do this with one
line in my .htaccess file. I don't see how to do it at all with UM.
Seems to me that these examples can just
hmm.. just a XDR GET on the file at hixie.ch which allows access only
if the request is from damowmow.com ?
I am not sure -- is there anything special about XBL bindings which
would result in this not working ?
Cheers
devdatta
2009/12/16 Ian Hickson i...@hixie.ch:
On Wed, 16 Dec 2009, Devdatta
On Dec 16, 2009, at 11:30 PM, Devdatta wrote:
hmm.. just a XDR GET on the file at hixie.ch which allows access only
if the request is from damowmow.com ?
I am not sure -- is there anything special about XBL bindings which
would result in this not working ?
If I recall correctly, XDR sends
On Dec 16, 2009, at 9:10 PM, Kenton Varda wrote:
Without the benefit of full context (I only started following this
list recently), I'd like cautiously to suggest that the UM solution
to Ian's challenge seems awkward because the challenge is itself a
poor design, and UM tends to be more
On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking jo...@sicking.cc wrote:
For what it's worth, I'm not sure that eliminating is correct here.
With UM, I can certainly see people doing things like using a wrapping
library for all UM requests (very commonly done with XHR today), and
then letting
On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking jo...@sicking.cc wrote:
On Mon, Dec 14, 2009 at 4:52 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak m...@apple.com wrote:
There seem to be two schools of thought that to some extent inform the
On Mon, Dec 14, 2009 at 4:26 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced
On Tue, Dec 15, 2009 at 10:12 AM, Tyler Close tyler.cl...@gmail.com wrote:
Just so that everyone knows, IE has changed this policy, so it's not a
situation where we'll be waiting forever. See:
http://msdn.microsoft.com/en-us/library/bb250473(VS.85).aspx
Adam, were you aware of this policy
Comments inline
On Sun, Dec 13, 2009 at 9:15 PM, Maciej Stachowiak m...@apple.com wrote:
On Dec 13, 2009, at 3:47 PM, Mark S. Miller wrote:
On Sun, Dec 13, 2009 at 3:19 PM, Maciej Stachowiak m...@apple.com wrote:
The literature you cited seems to mostly be about whether capability
systems
On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees j...@creativecommons.org wrote:
The only complaint I know of regarding UM is that it is so complicated
to use in practice that it will not be as enabling as CORS
Actually, Tyler's UM protocol requires the user to confirm message 5
to prevent a CSRF
On Mon, Dec 14, 2009 at 10:16 AM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees j...@creativecommons.org
wrote:
The only complaint I know of regarding UM is that it is so complicated
to use in practice that it will not be as enabling as CORS
Actually,
On Dec 14, 2009, at 10:44 AM, Tyler Close wrote:
On Mon, Dec 14, 2009 at 10:16 AM, Adam Barth w...@adambarth.com
wrote:
On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees j...@creativecommons.org
wrote:
The only complaint I know of regarding UM is that it is so
complicated
to use in practice
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a single
copy-paste operation by the user.
Any design that involves storing confidential information in the
clipboard is insecure because IE
On Dec 14, 2009, at 2:38 PM, Adam Barth wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com
wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a
single
copy-paste operation by the user.
Any design that involves storing
On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a single
copy-paste operation by the user.
Any design that involves
On Mon, Dec 14, 2009 at 3:04 PM, Maciej Stachowiak m...@apple.com wrote:
On Dec 14, 2009, at 2:38 PM, Adam Barth wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com
wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a single
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak m...@apple.com wrote:
There seem to be two schools of thought that to some extent inform the
thinking of participants in this discussion:
1) Try to encourage capability-based mechanisms by not providing anything
that lets you extend the use of
On Mon, Dec 14, 2009 at 4:52 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak m...@apple.com wrote:
There seem to be two schools of thought that to some extent inform the
thinking of participants in this discussion:
1) Try to encourage
I enter this subthread with trepidation, because I do not think the
Working Group is in a position to engage in a literature review on an
active research topic. However, a few comments below:
On Dec 13, 2009, at 1:29 PM, Mark S. Miller wrote:
On Sun, Dec 13, 2009 at 12:26 PM, Adam Barth
On Sun, Dec 13, 2009 at 3:19 PM, Maciej Stachowiak m...@apple.com wrote:
I enter this subthread with trepidation, because I do not think the Working
Group is in a position to engage in a literature review on an active
research topic. However, a few comments below:
I am not the one who
On Dec 13, 2009, at 3:47 PM, Mark S. Miller wrote:
On Sun, Dec 13, 2009 at 3:19 PM, Maciej Stachowiak m...@apple.com
wrote:
The literature you cited seems to mostly be about whether capability
systems have various technical flaws, and whether they can be made
to do various things that
55 matches
Mail list logo