Re: [cors] TAG request concerning CORS & Next Step(s)

2009-10-23 Thread Anne van Kesteren
On Thu, 22 Oct 2009 20:00:02 +0200, Henry S. Thompson wrote: Sorry for the delay -- the discussion has clarified the current relevance of client-side implementations, and as far as that goes the TAG is happy. We do assume that demonstrating interoperable server-side implementation will be a ne

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-10-22 Thread Henry S. Thompson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anne van Kesteren writes: > On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson > wrote: >> One point of clarification: my (admittedly imperfect) understanding >> was that the most important parts of CORS have to be implemented >> _server_-side fo

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-10-08 Thread Mark S. Miller
On Thu, Oct 8, 2009 at 8:06 AM, Anne van Kesteren wrote: > On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson > wrote: >> >> One point of clarification: my (admittedly imperfect) understanding >> was that the most important parts of CORS have to be implemented >> _server_-side for the proposal

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-10-08 Thread Anne van Kesteren
On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson wrote: One point of clarification: my (admittedly imperfect) understanding was that the most important parts of CORS have to be implemented _server_-side for the proposal to achieve its goals. If that's true, browser deployment alone is ins

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adam Barth
On Wed, Jun 24, 2009 at 10:12 PM, Mark S. Miller wrote: > The server can sensibly wish to reveal a particular piece of information to > those parties that it thinks should be authorized to learn that information. > Without assuming your conclusion, why should the server wish to identify > those par

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Mark S. Miller
On Wed, Jun 24, 2009 at 8:46 PM, Adam Barth wrote: > My understanding is that the CORS use of the Origin header is mostly > to protect the confientiality of resources on the server. For > example, if (1) the server wishes to reveal a particular piece of > information to some origins by not to ot

RE: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adrian Bateman
> On Wednesday, June 24, 2009 8:25 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman > wrote: > On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren > wrote: > > > I cannot comment on behalf of Opera on this. I

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adam Barth
On Wed, Jun 24, 2009 at 8:42 PM, Bil Corry wrote: > As written, a conforming UA could choose to always send NULL for redirects, > which would be unfortunate. That's correct. > More concerning though, a conforming UA could choose to always send NULL for >*all* HTTP requests. That's correct. > 

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adam Barth
On Wed, Jun 24, 2009 at 6:39 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > As is widely recognized, CSRF is a form of confused deputy attack > . >From the beginning, > the diagnosis of the underlying pr

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Bil Corry
Adam Barth wrote on 6/24/2009 10:09 PM: > On Wed, Jun 24, 2009 at 5:42 PM, Bil Corry wrote: >> Adam Barth wrote on 6/24/2009 6:16 PM: >>> I've uploaded the latest draft just now: >>> >>> http://www.ietf.org/internet-drafts/draft-abarth-origin-01.txt >>> >>> The draft now uses a different header na

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Mark S. Miller
On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman wrote: > On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren > wrote: > > > I cannot comment on behalf of Opera on this. I can point out that > Safari 4 and Chrome 2 > > > ship with it an

RE: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adrian Bateman
On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote: > On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > > I cannot comment on behalf of Opera on this. I can point out that Safari 4 > > and Chrome 2 > > ship with it and that Firefox 3.5 will too. (No implementation will support >

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adam Barth
On Wed, Jun 24, 2009 at 5:42 PM, Bil Corry wrote: > Adam Barth wrote on 6/24/2009 6:16 PM: >> I've uploaded the latest draft just now: >> >> http://www.ietf.org/internet-drafts/draft-abarth-origin-01.txt >> >> The draft now uses a different header name to avoid conflicting with >> CORS and behaves

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Mark S. Miller
On Wed, Jun 24, 2009 at 6:39 PM, Mark S. Miller wrote: > > [1] See for example the section on confused deputy in < > http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf>. I thought David Wagner's > Google techtalk explained "ambient authority" especially clearly Wagner's Google techtalk>. Tyler's "ACLs Do

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Mark S. Miller
On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren wrote: > On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow > wrote: > >> 1. Please respond to at least this part of Henry's mail: >> >> [[ >> It appeared to us that a number of significant criticisms of the >> appropriateness of CORS have been

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Bil Corry
Adam Barth wrote on 6/24/2009 6:16 PM: > On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking wrote: >> As for the "Origin" spec that Adam Barth is working on, I'm not sure >> that the last draft is published yet, but I believe that the idea is >> to append the full redirect chain in the Origin header.

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adam Barth
On Wed, Jun 24, 2009 at 12:43 PM, Jonas Sicking wrote: > As for the "Origin" spec that Adam Barth is working on, I'm not sure > that the last draft is published yet, but I believe that the idea is > to append the full redirect chain in the Origin header. (hence > possibly making it incompatible wit

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Bil Corry
Tyler Close wrote on 6/24/2009 4:26 PM: > On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking wrote: >> On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: >>> Hi Jonas, >>> >>> I'm just asking what Origin header behavior will be shipped in Firefox >>> 3.5. You've said redirects of preflighted request

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Maciej Stachowiak
On Jun 24, 2009, at 4:29 AM, Arthur Barstow wrote: Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Tyler Close
On Wed, Jun 24, 2009 at 1:37 PM, Jonas Sicking wrote: > On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: >> Hi Jonas, >> >> I'm just asking what Origin header behavior will be shipped in Firefox >> 3.5. You've said redirects of preflighted requests aren't supported, >> so I'm wondering about th

RE: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Adrian Bateman
On Wednesday, June 24, 2009 8:14 AM, Anne van Kesteren wrote: > To: Arthur Barstow; public-webapps; Henry Thompson > Subject: Re: [cors] TAG request concerning CORS & Next Step(s) > > On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow > wrote: > > 2. For those that hav

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Jonas Sicking
On Wed, Jun 24, 2009 at 12:52 PM, Tyler Close wrote: > Hi Jonas, > > I'm just asking what Origin header behavior will be shipped in Firefox > 3.5. You've said redirects of preflighted requests aren't supported, > so I'm wondering about the non-preflighted requests. It will have the Origin header o

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Tyler Close
Hi Jonas, I'm just asking what Origin header behavior will be shipped in Firefox 3.5. You've said redirects of preflighted requests aren't supported, so I'm wondering about the non-preflighted requests. Another question, since Firefox doesn't support redirects of preflighted requests, what does i

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Jonas Sicking
On Wed, Jun 24, 2009 at 11:45 AM, Tyler Close wrote: > On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking wrote: >> Firefox 3.5 will be out in a matter of days (RC available already) and >> it supports the majority of CORS (everything but redirects of >> preflighted requests). > > What is the behavior

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Jonas Sicking
On Wed, Jun 24, 2009 at 10:22 AM, Henry S. Thompson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jonas Sicking writes: > >> As Anne pointed out, others have also deployed partial support. In >> fact, relatively speaking, CORS has seen an extraordinary amount of >> browser deployment

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Arun Ranganathan
Arthur Barstow wrote: Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant cri

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Tyler Close
On Wed, Jun 24, 2009 at 10:16 AM, Jonas Sicking wrote: > Firefox 3.5 will be out in a matter of days (RC available already) and > it supports the majority of CORS (everything but redirects of > preflighted requests). What is the behavior of the Origin header on other kinds of redirects? For exampl

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Michael(tm) Smith
"Henry S. Thompson" , 2009-06-24 18:22 +0100: > Jonas Sicking writes: > > > As Anne pointed out, others have also deployed partial support. In > > fact, relatively speaking, CORS has seen an extraordinary amount of > > browser deployment already. > > One point of clarification: my (admittedly im

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Henry S. Thompson
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonas Sicking writes: > As Anne pointed out, others have also deployed partial support. In > fact, relatively speaking, CORS has seen an extraordinary amount of > browser deployment already. One point of clarification: my (admittedly imperfect) under

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Jonas Sicking
First of all, I know of only one outstanding security issue, which is around redirects. If there are others, it would be great to get detailed feedback, we're not hard to reach :) > 2. For those that have been active in defining the CORS model and/or CORS > implementers - particularly Adam, Anne,

Re: [cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Anne van Kesteren
On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow wrote: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant criticisms of the appropriateness of CORS have been submitted to the Working Group, from respected members of the Web Security co

[cors] TAG request concerning CORS & Next Step(s)

2009-06-24 Thread Arthur Barstow
Members of the Web Apps WG, Below is an email from Henry Thompson (forwarded with his permission), on behalf of the TAG [1], re the CORS spec [2]. Two things: 1. Please respond to at least this part of Henry's mail: [[ It appeared to us that a number of significant criticisms of the appropr