Review of CORS and WebAppSec prior to LCWD

2012-03-06 Thread Cameron Jones
to protect them. I hope this review and feedback will be appreciated and considered with further advancement of web app security. Thanks, Cameron Jones

Re: [CORS] Review of CORS and WebAppSec prior to LCWD

2012-03-07 Thread Cameron Jones
the right audience. thanks, Cameron Jones On Wed, Mar 7, 2012 at 1:39 PM, Arthur Barstow art.bars...@nokia.com wrote: [ + public-webappsec ] Below is a comment about CORS. Given the original CfC for LCWD was started months ago, perhaps this comment should be considered as an LC comment. Re

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-19 Thread Cameron Jones
of enforcing their chosen security policies. Thanks, Cameron Jones

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-19 Thread Cameron Jones
support for the proposal. Social Web Architect http://bblfish.net/ Thanks, Cameron Jones

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-19 Thread Cameron Jones
authentication to private resources as e.g. W3C has used for some time. Isn't this mitigated by the Origin header? Also, what about the point that this is unethically pushing the costs of securing private resources onto public access providers? Thanks, Cameron Jones

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-19 Thread Cameron Jones
understanding and can assist in further adoption and advocacy. Thanks, Cameron Jones

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-19 Thread Cameron Jones
On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote: Isn't this mitigated by the Origin header? No. Could you expand on this response, please? My understanding is that requests generate from XHR

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-20 Thread Cameron Jones
On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth w...@adambarth.com wrote: On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote: On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote

Re: Why the restriction on unauthenticated GET in CORS?

2012-07-20 Thread Cameron Jones
On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote: On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote: So, this is a non-starter. Thanks for all the fish. That's why we have the current design. Yes, i note the use of the word current and not final

Re: [XHR] Setting the User-Agent header

2012-09-06 Thread Cameron Jones
such content is by replicating the exact environment, potentially in hardware and software. This functionality is useful in providing administrative access for online development, debugging and testing. Thanks, Cameron Jones