My recollection of the status of ISSUE-108 is that CORS was going to
provide functionality equivalent to that of UMP when the CORS
credentials flag is false. CORS was also also going to expand its
Security Considerations section to explain the Confused Deputy issues,
possibly by borrowing text
On Sat, Sep 11, 2010 at 7:00 AM, Mark S. Miller erig...@google.com wrote:
On Sat, Sep 11, 2010 at 5:43 AM, Arthur Barstow art.bars...@nokia.com
wrote:
* CORS, UMP - Anne will attend but what about MarkM and Tyler? Jeff,
Thomas - are you planning some type of Web Application Security
On Tue, Jul 13, 2010 at 8:12 AM, Jonas Sicking jo...@sicking.cc wrote:
On Tue, Jul 13, 2010 at 3:47 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 13 Jul 2010 12:35:02 +0200, Jaka Jančar j...@kubje.org wrote:
What I'd like is a global (per-host) way to disable these limitations all
at
On Wed, Jul 14, 2010 at 12:02 PM, Jonas Sicking jo...@sicking.cc wrote:
On Wed, Jul 14, 2010 at 10:39 AM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jul 13, 2010 at 8:12 AM, Jonas Sicking jo...@sicking.cc wrote:
On Tue, Jul 13, 2010 at 3:47 AM, Anne van Kesteren ann...@opera.com wrote
On Mon, May 24, 2010 at 8:23 AM, Adrian Bateman adria...@microsoft.com wrote:
In IE, we only support Access-Control-Allow-Origin and combining with other
values (albeit optional ones) that we don't support might be misleading. It
also introduces some additional parsing that changes the
On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak m...@apple.com wrote:
OK, so there's two vulnerability scenarios:
Actually, there is at least one other kind of vulnerability in the
CORS design that has not been mentioned by anyone yet and that does
not require XSS or untrusted code.
Before I
On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke dpra...@chromium.org wrote:
On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak m...@apple.com wrote:
There are also more subtle risks to shared secrets. If you are creating your
secrets with a bad random number generator, then they will not in fact
On Fri, May 14, 2010 at 12:27 PM, Dirk Pranke dpra...@chromium.org wrote:
On Fri, May 14, 2010 at 12:00 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke dpra...@chromium.org wrote:
On Fri, May 14, 2010 at 10:18 AM, Tyler Close tyler.cl...@gmail.com
On Tue, May 11, 2010 at 5:15 PM, Ian Hickson i...@hixie.ch wrote:
On Tue, 11 May 2010, Tyler Close wrote:
CORS introduces subtle but severe Confused Deputy vulnerabilities
I don't think everyone is convinced that this is the case.
AFAICT, there is consensus that CORS has Confused Deputy
On Wed, May 12, 2010 at 11:21 AM, Ojan Vafai o...@chromium.org wrote:
On Wed, May 12, 2010 at 9:01 AM, Tyler Close tyler.cl...@gmail.com wrote:
In the general case, including many common cases, doing this
validation is not feasible. The CORS specification should not be
allowed to proceed
On Wed, May 12, 2010 at 11:42 AM, Jonas Sicking jo...@sicking.cc wrote:
On Wed, May 12, 2010 at 11:35 AM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, May 12, 2010 at 11:21 AM, Ojan Vafai o...@chromium.org wrote:
On Wed, May 12, 2010 at 9:01 AM, Tyler Close tyler.cl...@gmail.com wrote
On Wed, May 12, 2010 at 12:33 PM, Nathan nat...@webr3.org wrote:
Yes,
The simplest argument I can give is that we (server admins) are trusted to
set the CORS headers, but not to remove any headers we don't want an XHR
request to see - this is frankly ridiculous.
The problem is there might
On Wed, May 12, 2010 at 1:05 PM, Nathan nat...@webr3.org wrote:
Tyler Close wrote:
On Wed, May 12, 2010 at 12:33 PM, Nathan nat...@webr3.org wrote:
Yes,
The simplest argument I can give is that we (server admins) are trusted
to
set the CORS headers, but not to remove any headers we don't
On Wed, May 12, 2010 at 1:13 PM, Jonas Sicking jo...@sicking.cc wrote:
On Wed, May 12, 2010 at 12:38 PM, Devdatta dev.akh...@gmail.com wrote:
While most of the discussion in this thread is just repeats of
previous discussions, I think Tyler makes a good (and new) point in
that the current CORS
On Wed, May 12, 2010 at 4:45 PM, Adam Barth w...@adambarth.com wrote:
On Wed, May 12, 2010 at 4:38 PM, Dirk Pranke dpra...@google.com wrote:
On Wed, May 12, 2010 at 4:06 PM, Adam Barth w...@adambarth.com wrote:
On Wed, May 12, 2010 at 3:16 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed
On Wed, May 12, 2010 at 5:07 PM, Adam Barth w...@adambarth.com wrote:
On Wed, May 12, 2010 at 4:56 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, May 12, 2010 at 4:45 PM, Adam Barth w...@adambarth.com wrote:
On Wed, May 12, 2010 at 4:38 PM, Dirk Pranke dpra...@google.com wrote:
On Wed
On Wed, May 12, 2010 at 5:36 PM, Dirk Pranke dpra...@google.com wrote:
On Wed, May 12, 2010 at 5:15 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, May 12, 2010 at 5:07 PM, Adam Barth w...@adambarth.com wrote:
On Wed, May 12, 2010 at 4:56 PM, Tyler Close tyler.cl...@gmail.com wrote:
Both
On Wed, May 12, 2010 at 6:33 PM, Ian Hickson i...@hixie.ch wrote:
On Wed, 12 May 2010, Tyler Close wrote:
It is also not a question of opinion, but fact. CORS uses ambient
authority for access control in 3 party scenarios. CORS is therefore
vulnerable to Confused Deputy.
That's like
Firefox, Chrome and Caja have now all declared an interest in
implementing UMP. Opera and Safari have both declared an interest in
implementing the functionality defined in UMP under the name CORS. I
think it's clear that UMP has sufficient implementor interest to
proceed along the standardization
On Tue, May 11, 2010 at 10:54 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 11 May 2010 19:48:57 +0200, Tyler Close tyler.cl...@gmail.com
wrote:
Firefox, Chrome and Caja have now all declared an interest in
implementing UMP. Opera and Safari have both declared an interest
On Tue, May 11, 2010 at 11:41 AM, Ojan Vafai o...@chromium.org wrote:
What is the difference between an authoring guide and a specification for
web developers?
The difference is whether or not the normative statements in UMP
actually are normative for a CORS implementation. This comes down to
On Tue, May 11, 2010 at 12:36 PM, Arthur Barstow art.bars...@nokia.com wrote:
Jonas, Anne, Tlyer, All,
On May 11, 2010, at 3:08 PM, ext Jonas Sicking wrote:
Personally I would prefer to see the UMP model be specced as part of
the CORS spec, mostly to avoid inevitable differences between two
On Wed, Apr 21, 2010 at 8:57 AM, Anne van Kesteren ann...@opera.com wrote:
Uniform doesn't tell you much about what it is doing.
The term uniform in Uniform Messaging Policy (UMP) is used in the
same sense as it is used in Uniform Resource Identifier (URI). In
particular, the following from RFC
On Mon, Apr 19, 2010 at 6:47 PM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 20 Apr 2010 00:38:54 +0900, Jonas Sicking jo...@sicking.cc wrote:
As I've said before. I'd be interested in implementing UMP in firefox
if we can come up with a reasonable API for using it. I.e. a separate
On Tue, Apr 20, 2010 at 11:39 AM, Maciej Stachowiak m...@apple.com wrote:
On Apr 20, 2010, at 9:27 AM, Tyler Close wrote:
On Mon, Apr 19, 2010 at 6:47 PM, Anne van Kesteren ann...@opera.com
wrote:
On Tue, 20 Apr 2010 00:38:54 +0900, Jonas Sicking jo...@sicking.cc
wrote:
As I've said
On Tue, Apr 20, 2010 at 11:36 AM, Jonas Sicking jo...@sicking.cc wrote:
On Tue, Apr 20, 2010 at 9:27 AM, Tyler Close tyler.cl...@gmail.com wrote:
On Mon, Apr 19, 2010 at 6:47 PM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 20 Apr 2010 00:38:54 +0900, Jonas Sicking jo...@sicking.cc wrote
On Mon, Apr 19, 2010 at 10:55 AM, Julian Reschke julian.resc...@gmx.de wrote:
On 19.04.2010 19:37, Tyler Close wrote:
The default members of the above whitelist include response entity
headers defined by [HTTP], plus the Location and Warning headers. The
Why are you ignoring other headers
On Mon, Apr 19, 2010 at 11:39 AM, Jonas Sicking jo...@sicking.cc wrote:
On Mon, Apr 19, 2010 at 11:30 AM, Maciej Stachowiak m...@apple.com wrote:
On Apr 19, 2010, at 10:06 AM, Tyler Close wrote:
Uniform-Headers = Uniform-Headers : ( * | #field-name )
[...]
Are Apple and/or Firefox
I have been studying CORS ISSUE-90
http://www.w3.org/2008/webapps/track/issues/90, so as to bring UMP
into line with this part of CORS. I can't find any pattern or
rationale to the selection of headers on the whitelist versus those
not on the whitelist. Does anyone know where this list came from
On Wed, Apr 14, 2010 at 9:41 AM, Tyler Close tyler.cl...@gmail.com wrote:
I have been studying CORS ISSUE-90
http://www.w3.org/2008/webapps/track/issues/90, so as to bring UMP
into line with this part of CORS. I can't find any pattern or
rationale to the selection of headers on the whitelist
On Mon, Apr 12, 2010 at 6:49 AM, Arthur Barstow art.bars...@nokia.com wrote:
Maciej, Tyler - thanks for continuing this discussion. I think it would be
helpful to have consensus on what we mean by subsetting in this context.
(Perhaps the agreed definition could be added to the CORS and UMP
On Mon, Apr 12, 2010 at 1:00 PM, Maciej Stachowiak m...@apple.com wrote:
On Apr 12, 2010, at 10:33 AM, Tyler Close wrote:
On Mon, Apr 12, 2010 at 6:49 AM, Arthur Barstow art.bars...@nokia.com
wrote:
Maciej, Tyler - thanks for continuing this discussion. I think it would
be
helpful to have
On Thu, Apr 8, 2010 at 5:44 AM, Marcos Caceres marc...@opera.com wrote:
To me personally, it only really makes sense for UMP to be merged into CORS.
Having both specs is confusing.
Given that we've created a superset-subset relationship between CORS
and UMP, we don't have divergent specs for
On Wed, Feb 3, 2010 at 7:40 PM, Maciej Stachowiak m...@apple.com wrote:
Actually, the other proposal is to provide an XHR-like API that would use
CORS forcing a unique origin as an input parameter - there is no need to
My hope is that this would be semantically equivalent to using UMP.
This
On Wed, Feb 3, 2010 at 2:34 PM, Maciej Stachowiak m...@apple.com wrote:
I don't think I've ever seen a Web server send Vary: Cookie. I don't know
offhand if they consistently send enough cache control headers to prevent
caching across users.
I've been doing a little poking around. Wikipedia
On Tue, Feb 2, 2010 at 11:37 PM, Maciej Stachowiak m...@apple.com wrote:
I think the credentials flag should specifically affect cookies, http
authentication, and client-side SSL certs, but not proxy authentication (or,
obviously, Origin). Anne, can you fix this?
Perhaps the best way to fix
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking jo...@sicking.cc wrote:
Another thing that might be worth noting is that if the UA contains a
HTTP cache (which most popular UAs do), the UA must never use a cached
response that was the result of a request that was made with
credentials, when
On Wed, Feb 3, 2010 at 11:30 AM, Jonas Sicking jo...@sicking.cc wrote:
On Wed, Feb 3, 2010 at 10:12 AM, Tyler Close tyler.cl...@gmail.com wrote:
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking jo...@sicking.cc wrote:
Another thing that might be worth noting is that if the UA contains a
HTTP
On Wed, Feb 3, 2010 at 1:32 PM, Julian Reschke julian.resc...@gmx.de wrote:
Tyler Close wrote:
On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking jo...@sicking.cc wrote:
Another thing that might be worth noting is that if the UA contains a
HTTP cache (which most popular UAs do), the UA must never
On Wed, Feb 3, 2010 at 2:12 PM, Julian Reschke julian.resc...@gmx.de wrote:
We know that Vary doesn't work well in practice because of all the
bugsshortcomings in IE.
For requests with cookies, there's an interesting tension there
between wanting to support private caching in IE, but
On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak m...@apple.com wrote:
I'm curious what practical differences there are between CORS with the
credentials flag
set to false and the origin set to null, and UMP. Are there any?
The credentials flag in CORS is underspecified, so it's hard to
On Tue, Feb 2, 2010 at 5:14 PM, Maciej Stachowiak m...@apple.com wrote:
On Feb 2, 2010, at 11:15 AM, Tyler Close wrote:
On Sun, Jan 31, 2010 at 11:03 PM, Maciej Stachowiak m...@apple.com wrote:
I'm curious what practical differences there are between CORS with the
credentials flag
set
, if a malicious client does send credentials, these have
no impact on processing of the request.
On Tue, Jan 12, 2010 at 4:56 PM, Tyler Close tyler.cl...@gmail.com wrote:
UMP supports confidentiality where client and server desire
confidentiality.
My question, then, is how can a server enjoy
On Thu, Jan 14, 2010 at 11:34 AM, Adam Barth w...@adambarth.com wrote:
On Thu, Jan 14, 2010 at 9:20 AM, Tyler Close tyler.cl...@gmail.com wrote:
The confidentiality of a resource can be compromised by a CSRF
vulnerability in a legitimate client.
Can you define what you mean by CSRF? I think
On Mon, Jan 11, 2010 at 5:06 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Jan 11, 2010 at 12:40 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sun, Jan 10, 2010 at 2:25 PM, Adam Barth w...@adambarth.com wrote:
More abstractly, why aren't we worrying about P misbehaving based
On Tue, Jan 12, 2010 at 12:29 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close tyler.cl...@gmail.com wrote:
It's not feasible to remove all ambient authority. For example, the
client has the authority to send requests from its IP address. So we
draw a line
I believe all three protocols attach the same semantics to the
Access-Control-Allow-Origin: * response header sent in response to a
GET or POST request. Unless you know of a significant difference in
the semantics, breaking compatibility seems unwarranted.
--Tyler
On Tue, Jan 12, 2010 at 12:54
On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 2:19 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jan 12, 2010 at 12:54 PM, Adam Barth aba...@webkit.org wrote:
In the current draft of UMP, the client can opt-in to UMP by choosing
to use
On Tue, Jan 12, 2010 at 2:57 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 2:47 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth w...@adambarth.com wrote:
Let my phrase my question another way. Suppose the following situation:
1) I'm
there is consensus on
the spec's contents.
As with all of our CfCs, positive response is preferred and encouraged and
silence will be assumed to be assent.
The deadline for comments is January 19.
-Art Barstow
Begin forwarded message:
From: ext Tyler Close tyler.cl...@gmail.com
Date: January 7
not necessarily mean there is consensus on
the spec's contents.
As with all of our CfCs, positive response is preferred and encouraged and
silence will be assumed to be assent.
The deadline for comments is January 19.
-Art Barstow
Begin forwarded message:
From: ext Tyler Close tyler.cl
at 3:10 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jan 12, 2010 at 2:57 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 2:47 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jan 12, 2010 at 2:44 PM, Adam Barth w...@adambarth.com wrote:
Let my phrase my question
On Tue, Jan 12, 2010 at 3:04 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 1:59 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Tue, Jan 12, 2010 at 12:29 PM, Adam Barth w...@adambarth.com wrote:
On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close tyler.cl...@gmail.com wrote:
It's
On Sun, Jan 10, 2010 at 2:25 PM, Adam Barth w...@adambarth.com wrote:
I don't quite understand this part of that text:
[[
In this case, the request
sent by the user-agent is not a uniform request; however, the request
ultimately delivered to the resource host will be, since any
On Sat, Jan 9, 2010 at 10:50 AM, Adam Barth w...@adambarth.com wrote:
The UMP spec says:
[[
The user agent must not add any information obtained from: HTTP
cookies, HTTP Auth headers, client certificates, or the referring
resource, including its origin (other than the request parameters).
On Sun, Jan 10, 2010 at 6:54 AM, Maciej Stachowiak m...@apple.com wrote:
What I meant to say was that the weak confidentiality
protection for ECMAScript should not be used as an excuse to weaken
protection for other resources.
And I was never proposing to weaken existing protection for other
On Fri, Jan 8, 2010 at 4:56 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jan 8, 2010 at 4:43 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, Jan 8, 2010 at 3:56 PM, Adam Barth w...@adambarth.com wrote:
[... Requiring uniform responses to redirects ...]
It's a good thing to question
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth w...@adambarth.com wrote:
What happens with Set-Cookie headers included in uniform responses?
It seems like we ought to ignore them based on the principle that UMP
requests
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close tyler.cl...@gmail.com wrote:
Since in general this design cannot be made safe,
I think it's better to not support it at all in the security model, by
allowing a uniform request
On Sat, Jan 9, 2010 at 2:23 PM, Adam Barth w...@adambarth.com wrote:
On Sat, Jan 9, 2010 at 1:57 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth w...@adambarth.com wrote:
That's the security model we have. For example, it's safe to return
untrusted
On Fri, Jan 8, 2010 at 1:41 PM, Adam Barth w...@adambarth.com wrote:
[[
In particular, the user agent should not add the HTTP headers:
User-Agent, Accept, Accept-Language, Accept-Encoding, or
Accept-Charset
]]
This seems a bit overly constrictive. Maybe we should send Accept: */*,
etc?
On Fri, Jan 8, 2010 at 2:53 PM, Adam Barth w...@adambarth.com wrote:
One more question: the draft doesn't seem to provide any way to
generate a uniform request. Are we planning to have another
specification for an API for generating these requests?
Similar to CORS, UMP is just the security
On Fri, Jan 8, 2010 at 3:56 PM, Adam Barth w...@adambarth.com wrote:
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close tyler.cl...@gmail.com wrote:
There are two uses for this requirement:
1. On browsers that don't yet support any cross-domain API, it would
be nice to emulate support by routing
me know if there is anything I need to do to expedite this process.
Thanks,
--Tyler
On Tue, Jan 5, 2010 at 2:41 PM, Tyler Close tyler.cl...@gmail.com wrote:
I've uploaded an updated version of Uniform Messaging Policy, Level
One to the W3C web site. See:
http://dev.w3.org/2006/waf/UMP
On Wed, Jan 6, 2010 at 1:58 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 05 Jan 2010 23:41:07 +0100, Tyler Close tyler.cl...@gmail.com
wrote:
I've uploaded an updated version of Uniform Messaging Policy, Level
One to the W3C web site. See:
http://dev.w3.org/2006/waf/UMP
I've uploaded an updated version of Uniform Messaging Policy, Level
One to the W3C web site. See:
http://dev.w3.org/2006/waf/UMP/
This version reflects feedback received to date and follows the
document conventions of a FPWD.
I look forward to any additional feedback.
Thanks,
--Tyler
--
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also applies to all embedding that the page renderer does. So it also
covers img, video, etc. In addition
On Mon, Dec 21, 2009 at 2:16 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 21 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
Starting from the X-FRAME-OPTIONS proposal, say the response header
also
On Mon, Dec 21, 2009 at 2:39 PM, Ian Hickson i...@hixie.ch wrote:
On Mon, 21 Dec 2009, Tyler Close wrote:
No, there is a difference in access-control between the two designs.
In the two header design:
1) An XHR GET of the XBL file data by example.org *is* allowed.
2) An xbl import
On Thu, Dec 17, 2009 at 10:08 AM, Maciej Stachowiak m...@apple.com wrote:
My goal was merely to argue that adding an origin/cookie check to a
secret-token-based mechanism adds meaningful defense in depth, compared to
just using any of the proposed protocols over UM. I believe my argument
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can
use a particular resource is bandwidth management. For example,
resources.example.com might want to allow *.example.com to use its XBL
files, but not allow anyone else to
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One of the big reasons to restrict which origin can use a particular
resource is bandwidth management. For example
On Thu, Dec 17, 2009 at 4:41 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 3:46 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Dec 2009, Tyler Close wrote:
On Thu, Dec 17, 2009 at 9:38 AM, Ian Hickson i...@hixie.ch wrote:
One
On Mon, Dec 14, 2009 at 6:14 PM, Jonas Sicking jo...@sicking.cc wrote:
On Mon, Dec 14, 2009 at 4:52 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak m...@apple.com wrote:
There seem to be two schools of thought that to some extent inform
On Mon, Dec 14, 2009 at 4:26 PM, Tyler Close tyler.cl...@gmail.com wrote:
On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced
On Mon, Dec 14, 2009 at 10:16 AM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 5:53 AM, Jonathan Rees j...@creativecommons.org
wrote:
The only complaint I know of regarding UM is that it is so complicated
to use in practice that it will not be as enabling as CORS
Actually,
that server-side app
authors may count on, which therefore protocols such as CORS and
Uniform Messaging must uphold.
On Fri, Dec 4, 2009 at 10:04 AM, Arthur Barstow
art.bars...@nokia.com wrote:
Mark, Tyler,
On Nov 23, 2009, at 12:33 PM, ext Tyler Close wrote:
I made some minor edits and formatting
On Mon, Dec 14, 2009 at 2:38 PM, Adam Barth w...@adambarth.com wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a single
copy-paste operation by the user.
Any design that involves
On Mon, Dec 14, 2009 at 3:04 PM, Maciej Stachowiak m...@apple.com wrote:
On Dec 14, 2009, at 2:38 PM, Adam Barth wrote:
On Mon, Dec 14, 2009 at 2:13 PM, Tyler Close tyler.cl...@gmail.com
wrote:
For example, the
User Consent Phase and Grant Phase above could be replaced by a single
copy
On Sun, Dec 13, 2009 at 6:15 PM, Maciej Stachowiak m...@apple.com wrote:
There seem to be two schools of thought that to some extent inform the
thinking of participants in this discussion:
1) Try to encourage capability-based mechanisms by not providing anything
that lets you extend the use of
On Thu, Dec 10, 2009 at 1:48 AM, Ian Hickson i...@hixie.ch wrote:
On Wed, 9 Dec 2009, Tyler Close wrote:
If you're willing to tolerate a little bit of implementation mechanism,
I can do you one better on the UI side.
Generally speaking, server-to-server communication is highly undesireable
On Thu, Dec 10, 2009 at 12:19 PM, Ian Hickson i...@hixie.ch wrote:
On Thu, 10 Dec 2009, Tyler Close wrote:
On Thu, Dec 10, 2009 at 10:17 AM, Ian Hickson i...@hixie.ch wrote:
That looks _really_ complicated.
By many measures, your CORS based solution is more complicated.
The measure I care
On Wed, Dec 9, 2009 at 1:39 AM, Ian Hickson i...@hixie.ch wrote:
On Tue, 8 Dec 2009, Tyler Close wrote:
I assume you want to move on to the XHR-like example, so I've just got a
few clarification questions about it...
The examples are equivalent as far as I can tell. Both are important
On Wed, Dec 9, 2009 at 7:43 AM, Ian Hickson i...@hixie.ch wrote:
Ok, let's move on to a more complex case.
Consider a static resource that is protected by a cookie authentication
mechanism. For example, a per-user static feed updated daily on some
server by some automated process. The server
Hi Ian,
To answer your question, I need a better understanding of what
semi-public means. At first blush, it sounds a little bit like
semi-pregnant. More inline below...
On Tue, Dec 8, 2009 at 6:16 AM, Ian Hickson i...@hixie.ch wrote:
I'm trying to understand this proposal and how it would
Hi Ian,
I assume you want to move on to the XHR-like example, so I've just got
a few clarification questions about it...
On Tue, Dec 8, 2009 at 11:18 AM, Ian Hickson i...@hixie.ch wrote:
http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0914/draft.html
To recast the question
On Nov 23, 2009, at 12:33 PM, ext Tyler Close wrote:
I made some minor edits and formatting improvements to the document
sent out on Friday. The new version is attached. If you read the prior
version, there's no need to review the new one. If you're just getting
started, use the attached copy
On Fri, Nov 13, 2009 at 6:45 PM, Devdatta dev.akh...@gmail.com wrote:
Some parts of the protocol are not clear to me. Can you please clarify
the following :
1 In msg 1, what script context is the browser running in ? Site A or
Site B ? (in other words who initiates the whole protocol ?)
On Thu, Nov 5, 2009 at 9:59 PM, Maciej Stachowiak m...@apple.com wrote:
Hi Tyler,
On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:
Closing remark:
In another thread, you've written I do think that a way to do an
anonymous XHR is justified, so I don't know how much sense it makes
containing the previous secret. After the
initial introduction, Server B has Server A's URL and a shared secret
for authorization, so you can use that to bootstrap communication
between the two servers.
Thanks
Devdatta
My pleasure,
--Tyler
2009/11/10 Tyler Close tyler.cl...@gmail.com:
I've
I've updated the web page that describes the calendar access grant. See:
http://sites.google.com/site/guestxhr/maciej-challenge
More comments inline below...
On Wed, Nov 4, 2009 at 6:14 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 4, 2009, at 6:04 PM, Maciej Stachowiak wrote:
I
to figure out which users it is talking to.
Can you please provide a complete description of your protocol with
all the steps required? I don't see how we can evaluate the security
of your protocol without such a description.
Thanks,
Adam
On Thu, Nov 5, 2009 at 12:05 PM, Tyler Close tyler.cl
On Wed, Nov 4, 2009 at 5:57 PM, Maciej Stachowiak m...@apple.com wrote:
5) I would summarize the tradeoff between this mechanism for a simple
cross-site communication scenario vs. the CORS way to do it as follows:
a) In the CORS-based protocol, if you change the scenario in a way that
Hi Adam,
Responses inline below...
On Thu, Nov 5, 2009 at 8:56 AM, Adam Barth w...@adambarth.com wrote:
Hi Tyler,
I've been trying to understand the GuestXHR protocol you propose for
replacing CORS:
http://sites.google.com/site/guestxhr/maciej-challenge
I don't understand the message in
Hi Maciej,
Responses inline below...
On Wed, Nov 4, 2009 at 9:36 PM, Maciej Stachowiak m...@apple.com wrote:
On Nov 3, 2009, at 5:33 PM, Tyler Close wrote:
On Mon, Oct 12, 2009 at 7:19 AM, Maciej Stachowiak m...@apple.com wrote:
As a side note, I should add that Tyler's scenario would
On Thu, Jun 18, 2009 at 12:32 AM, Ian Hicksoni...@hixie.ch wrote:
On Wed, 17 Jun 2009, Mark S. Miller wrote:
I don't really understand what we're trying to prevent here.
Confused deputies such as XSRF problems. Original paper is at
http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html.
Response inline below, so keep scrolling...
On Fri, Jun 26, 2009 at 3:41 PM, Ian Hicksoni...@hixie.ch wrote:
On Fri, 26 Jun 2009, Tyler Close wrote:
Consider two web-applications: photo.example.com, a photo manager; and
printer.example.net, a photo printer. Both of these web-apps use storage
On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sickingjo...@sicking.cc wrote:
Firefox 3.5 will be out in a matter of days (RC available already) and
it supports the majority of CORS (everything but redirects of
preflighted requests).
What is the behavior of the Origin header on other kinds of
Hi Jonas,
I'm just asking what Origin header behavior will be shipped in Firefox
3.5. You've said redirects of preflighted requests aren't supported,
so I'm wondering about the non-preflighted requests.
Another question, since Firefox doesn't support redirects of
preflighted requests, what does
On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sickingjo...@sicking.cc wrote:
On Wed, Jun 24, 2009 at 12:52 PM, Tyler Closetyler.cl...@gmail.com wrote:
Hi Jonas,
I'm just asking what Origin header behavior will be shipped in Firefox
3.5. You've said redirects of preflighted requests aren't supported,
1 - 100 of 127 matches
Mail list logo
