On Thu, Apr 9, 2009 at 8:48 AM, Bil Corry b...@corry.biz wrote:
My point is that a robust Origin moves us closer to better security
controls, perhaps not all the way, but certainly much closer than
CORS-Origin gets us.
I admit that I haven't followed in detail the various origin
proposals
[+www-tag]
I have received several private responses to my post, but oddly, nothing
public yet. In these responses, I have been asked most frequently about:
On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller erig...@google.com wrote:
Why identify even same origin requests as cross-origin? Given
On Sun, Jun 7, 2009 at 12:17 PM, Adam Barth w...@adambarth.com wrote:
On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller erig...@google.com
wrote:
Since malicious machines, or malicious applications running on trusted
machines, can sent messages that aren't self-identified as cross origin
[- all but Adam and pubic-webapps]
On Sun, Jun 7, 2009 at 3:24 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Jun 7, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote:
If servers at A don't freely hand out such tokens in response to
guessable GET
requests, then the secret token
wrote:
On Sun, Jun 7, 2009 at 3:21 PM, Mark S. Miller erig...@google.com wrote:
If the hypothesis I am raising is indeed not a problem, then it doesn't
matter whether these same origin requests carry Origin: null or
nothing.
What matters is that JavaScript code have a standard way
, 2009 at 2:53 PM, Mark S. Miller erig...@google.com wrote:
If servers at A don't freely hand out such tokens in response to guessable
GET requests,
So, if servers at A don't do this, how does the attacker, having XSSes site
A, learn the secret token necessary to issue the next request
On Mon, Jun 8, 2009 at 2:17 PM, Anne van Kesteren ann...@opera.com wrote:
We already have a feature to do a request without credentials. Set the
withCredentials flag to false. (If you meant something else that was not
clear from the context, at least to me.)
Though saying that I realize
On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren ann...@opera.com wrote:
I think we have some freedom to change some of the details here as long as
the motivation is perfectly clear and agreed upon by those that have already
implemented the draft.
I sort of like the idea of having a new
debating.
On Sun, Jun 7, 2009 at 11:18 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Jun 7, 2009 at 6:24 PM, Mark S. Miller erig...@google.com wrote:
On Sun, Jun 7, 2009 at 4:29 PM, Adam Barth w...@adambarth.com wrote:
Right, but once the attacker has XSSed site A, the attacker learns
On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren ann...@opera.com wrote:
I sort of like the idea of having a new (named) constructor or maybe have
the constructor take an argument to indicate credentials are supposed to be
omitted. This would also allow us to drop the withCredentials flag.
On Tue, Jun 16, 2009 at 8:05 AM, Anne van Kesteren ann...@opera.com wrote:
This creates some related issues we have to sort out one way or another:
A) How does this affect Access-Control-Allow-Origin?
B) How does this affect the preflight result cache?
I am very glad that the current
On Tue, Jun 9, 2009 at 12:21 PM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 09 Jun 2009 21:15:18 +0200, Tyler Close tyler.cl...@gmail.com
wrote:
Could you provide a code example that shows how to send an XHR request
to the same Origin without credentials using the HTML5 iframe
On Wed, Jun 17, 2009 at 4:29 AM, Anne van Kesteren ann...@opera.com wrote:
HTML5 does not assume CORS at this point I believe. Having said that, the
sandboxed origin browsing context flag does more. It forces the content of
the iframe into a unique origin. A number of features are disabled
On Wed, Jun 17, 2009 at 1:01 PM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 17 Jun 2009 19:45:54 +0200, Tyler Close tyler.cl...@gmail.com
wrote:
If this technique can in practice provide adequate protection, it is a
much better solution than CORS, which undermines HTTP and webarch in
On Wed, Jun 17, 2009 at 4:32 PM, Ian Hickson i...@hixie.ch wrote:
On Wed, 17 Jun 2009, Mark S. Miller wrote:
If it does transmit any of these currently, are there any
objections to revising the spec so that it doesn't?
Why?
So that the containing page can use
On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson i...@hixie.ch wrote:
But... we want the page talking on behalf of the user. That's the point
of a browser.
Not in this way. At least not according to Roy Fielding (Mr. REST)
http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html.
On Wed, Jun 17, 2009 at 5:09 PM, Adam Barth w...@adambarth.com wrote:
On Wed, Jun 17, 2009 at 5:02 PM, Mark S. Millererig...@google.com wrote:
On Wed, Jun 17, 2009 at 4:46 PM, Ian Hickson i...@hixie.ch wrote:
But... we want the page talking on behalf of the user. That's the point
of a
On Wed, Jun 17, 2009 at 5:32 PM, Adam Barth w...@adambarth.com wrote:
I know, but you do appreciate the irony in citing that email in a
discussion of how to mitigate CSRF.
;)
On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 24 Jun 2009 13:29:38 +0200, Arthur Barstow art.bars...@nokia.com
wrote:
1. Please respond to at least this part of Henry's mail:
[[
It appeared to us that a number of significant criticisms of the
On Wed, Jun 24, 2009 at 6:39 PM, Mark S. Miller erig...@google.com wrote:
[1] See for example the section on confused deputy in
http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf. I thought David Wagner's
Google techtalk explained ambient authority especially clearly David
Wagner's Google techtalk
On Wed, Jun 24, 2009 at 8:17 PM, Adrian Bateman adria...@microsoft.comwrote:
On Wednesday, June 24, 2009 6:39 PM, Mark S. Miller wrote:
On Wed, Jun 24, 2009 at 8:14 AM, Anne van Kesteren ann...@opera.com
wrote:
I cannot comment on behalf of Opera on this. I can point out that
Safari 4
On Wed, Jun 24, 2009 at 8:46 PM, Adam Barth w...@adambarth.com wrote:
My understanding is that the CORS use of the Origin header is mostly
to protect the confientiality of resources on the server. For
example, if (1) the server wishes to reveal a particular piece of
information to some
On Thu, Sep 24, 2009 at 7:55 AM, Maciej Stachowiak m...@apple.com wrote:
On Sep 24, 2009, at 5:36 AM, Sam Ruby wrote:
The current WebIDL binding to ECMAScript is based on ES3... this needs to
more closely track to the evolution of ES, in particular it needs to be
updated to ES5 w.r.t the Meta
On Sat, Sep 26, 2009 at 3:36 PM, Cameron McCormack c...@mcc.id.au wrote:
Indeed, much of the custom [[Get]] etc. functionality can be turned into
ES5 meta-object stuff. A pertinent question is then: should we change
Web IDL to specify an ES5 binding (and not ES3) at this point, given
that
On Sat, Sep 26, 2009 at 3:48 PM, Oliver Hunt oli...@apple.com wrote:
I would avoid depending on ES5 until there are multiple realworld
implementations at least, especially because
the interaction between the es5 meta-object functionality and host objects
is less than clear at present.
Hi
-- Forwarded message --
From: David-Sarah Hopwood david-sa...@jacaranda.org
Date: Sun, Sep 27, 2009 at 4:05 PM
Subject: Re: Cross posting madness must stop.
To: es-disc...@mozilla.org
Mark S. Miller wrote:
Comparing https://mail.mozilla.org/pipermail/es-discuss/2009-September
On Sun, Sep 27, 2009 at 4:00 PM, Maciej Stachowiak m...@apple.com wrote:
Cross posting isn't great, but a brand new list will be missing many people
with an interest in the topic for a while until it ramps up. In the
meantime, I think both es-discuss and public-webapps are open for anyone to
On Mon, Sep 28, 2009 at 2:02 AM, Robin Berjon ro...@berjon.com wrote:
I'm not sure what you're getting at here. WebIDL isn't just for HTML5, it's
used throughout WebApps and DAP, and by a number of other groups as well,
which have deliverables at various levels of completion. By depending on
On Thu, Oct 8, 2009 at 7:55 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 14 Apr 2009 14:34:11 +0200, Arthur Barstow art.bars...@nokia.com
wrote:
On Apr 14, 2009, at 6:33 AM, ext Thomas Roessler wrote:
So, to pick up on this discussion again -- I don't think we've had a
useful
On Thu, Oct 8, 2009 at 8:06 AM, Anne van Kesteren ann...@opera.com wrote:
On Wed, 24 Jun 2009 19:22:35 +0200, Henry S. Thompson h...@inf.ed.ac.uk
wrote:
One point of clarification: my (admittedly imperfect) understanding
was that the most important parts of CORS have to be implemented
On Tue, Oct 13, 2009 at 8:12 AM, Doug Schepers schep...@w3.org wrote:
[out of order]
So, I encourage feedback on the public-webapps list, rather than this
one... I'm just the messenger here.
Indeed. Hence I'm replying on public-webapps cc'ing cap-talk.
David-Sarah Hopwood wrote (on 10/13/09
On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth w...@adambarth.com wrote:
[...] We should concentrate on the following questions:
1) Does CORS introduce security vulnerabilities into legacy servers
that are unaware of the CORS protocol?
2) How well does CORS support the simple use cases of
On Sat, Nov 21, 2009 at 12:39 AM, Jonas Sicking jo...@sicking.cc wrote:
I've only had time for a quick scan, but this looks like a very good proposal.
Thanks.
Is there a reason why a full XMLHttpRequest API couldn't be used? I
guess in its most simple incarnation things like setRequestHeader
We intend that Uniform Messaging be adopted instead of CORS. We intend
that those APIs that were expected to utilize CORS (SSE, XBL) instead
utilize Uniform Messaging. As for XHR2, we intend to propose a similar
UniformRequest that utilizes Uniform Messaging.
We intend the current proposal,
JSONRequest.
But if the lack of a preflight-based level 2 is the issue blocking rallying
on UM, we could propose a level 2 before an agreement on what SOP guarantees
must be upheld.
-Art Barstow
On Dec 4, 2009, at 1:30 PM, ext Mark S. Miller wrote:
We intend that Uniform Messaging
On Sat, Dec 12, 2009 at 7:17 PM, Adam Barth w...@adambarth.com wrote:
On Thu, Dec 10, 2009 at 12:04 PM, Jonas Sicking jo...@sicking.cc wrote:
On Thu, Dec 10, 2009 at 10:53 AM, Arthur Barstow art.bars...@nokia.com
wrote:
Ideally, the group would agree on a single model and this could be
On Sat, Dec 12, 2009 at 11:14 PM, Maciej Stachowiak m...@apple.com wrote:
I agree with Jonas and Adam as well. I think both models have their use
cases. A few specific additional thoughts:
- Something like UM seems pretty important, probably essential, for running
guest code if you are
On Sun, Dec 13, 2009 at 12:26 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Dec 13, 2009 at 8:54 AM, Mark S. Miller erig...@google.com
wrote:
On Sat, Dec 12, 2009 at 7:17 PM, Adam Barth w...@adambarth.com wrote:
I agree with Jonas. It seems unlikely we'll be able to
design-by-commitee
On Sun, Dec 13, 2009 at 1:29 PM, Mark S. Miller erig...@google.com wrote:
On Sun, Dec 13, 2009 at 12:26 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Dec 13, 2009 at 8:54 AM, Mark S. Miller erig...@google.com
wrote:
On Sat, Dec 12, 2009 at 7:17 PM, Adam Barth w...@adambarth.com wrote
brought up the controversy dating from the '70s as
relevant to this discussion. I am merely clarifying how one should interpret
the history of that controversy.
On Dec 13, 2009, at 1:29 PM, Mark S. Miller wrote:
On Sun, Dec 13, 2009 at 12:26 PM, Adam Barth w...@adambarth.com wrote:
On Sun, Dec 13
, the group would agree on a single model and this could be
achieved by converging CORS + UM, abandoning one model in deference
to the other, etc.
Can we all rally behind a single model?
-Art Barstow
On Dec 4, 2009, at 1:30 PM, ext Mark S. Miller wrote:
We intend that Uniform Messaging
Despite the costs of doing preflight opt-in on a per-resource basis rather
than a per-origin basis, to meet its security goals, CORS proposes to do
preflight on a per-resource basis. I have seen the rationale for this stated
in bits and pieces. Can anyone point me at a reasonably self contained
:51 PM, Mark S. Miller erig...@google.com
wrote:
On Sat, Dec 19, 2009 at 5:58 PM, Adam Barth w...@adambarth.com wrote:
Mark,
The difference is subtle, but important.
Indeed.
I'm leery of starting
another centithread on CORS, but I'll try my best to explain clearly
On Sat, Dec 19, 2009 at 8:58 PM, Ian Hickson i...@hixie.ch wrote:
On Sat, 19 Dec 2009, Mark S. Miller wrote:
And that is why in my response, I stated For the same reason, we are
not *serving the interests* of an origin by adding that origin's name to
the ACL for a resource. [emphasis
On Sat, Dec 19, 2009 at 10:26 PM, Maciej Stachowiak m...@apple.com wrote:
On Dec 19, 2009, at 9:52 PM, Mark S. Miller wrote:
Because services A and B at origin O are vulnerable to each other, any
permission P granted to A can be obtained by, and exercised by, B.
Rephrasing, all
Hi Adam, I don't understand this at all. First, as the draft UMP already
says, were it not for the need to be compatible with currently deployed
browser behaviors, UMP would prefer a short header U: anyway, rather than
the unfortunately long Access-Control-Allow-Origin:* in
an incompressible
Support.
On Tue, Jan 12, 2010 at 3:29 PM, Arthur Barstow art.bars...@nokia.comwrote:
This is a Call for Consensus (CfC) to publish the First Public Working
Draft (FPWD) of the Uniform Messaging Policy (UMP) spec, latest Editor's
Draft at:
http://dev.w3.org/2006/waf/UMP/
This CfC
Hi Maciej and Tyler,
IMO, the important subsetting points, in priority order, are:
1) Server-side behavior compatible with UMP is automatically compatible with
CORS and with present CORS-like browser behaviors.
2) The client-side mechanisms one needs to implement UMP correctly are a
small subset
On Thu, Mar 4, 2010 at 6:37 AM, Jeremy Orlow jor...@chromium.org wrote:
You are quite right! I misunderstood how this part of promises worked.
Is there excitement about speccing promises in general?
Yes. The starting point for a lot of the commonjs promises work is Tyler's
ref_send promise
On Wed, Apr 7, 2010 at 2:54 AM, Anne van Kesteren ann...@opera.com wrote:
On Tue, 06 Apr 2010 22:12:33 +0200, Tyler Close tyler.cl...@gmail.com
wrote:
I've uploaded a new draft of the Uniform Messaging Policy to:
http://dev.w3.org/2006/waf/UMP/
This version adopts the same redirect
On Thu, Apr 8, 2010 at 5:08 AM, Arthur Barstow art.bars...@nokia.com wrote:
We also have the Comparison of CORS and UMP document:
http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UM
If we are going to continue with two separate specs, I think it is important
re expectations from
On Fri, Apr 9, 2010 at 2:08 AM, Anne van Kesteren ann...@opera.com wrote:
On Thu, 08 Apr 2010 00:44:07 +0200, Mark S. Miller erig...@google.com
wrote:
Since then, both CORS and UMP have changed so that UMP is now a subset
of CORS. Since advocacy of CORS includes agreement with this subset
On Tue, Apr 20, 2010 at 10:07 PM, Anne van Kesteren ann...@opera.comwrote:
On Wed, 21 Apr 2010 01:27:10 +0900, Tyler Close tyler.cl...@gmail.com
wrote:
Why can't it be made exactly like UMP? All of the requirements in UMP
have been discussed at length and in great detail on this list by some
On Wed, Apr 21, 2010 at 12:24 PM, Maciej Stachowiak m...@apple.com wrote:
I agree that Anonymous or Anon is more clear as to the purpose than
Uniform.
In the same say this email is anonymous. Sure, I say it is from MarkM, but
my browser doesn't add any identifying info that you can see. Even
On Wed, Apr 21, 2010 at 11:47 PM, Maciej Stachowiak m...@apple.com wrote:
That being said, I'm totally open to a name that conveys the same meaning
with less perceived ambiguity. I just don't think Uniform is it. It
doesn't get across the main idea very well at all. We need a phrase that
says
On Thu, Apr 22, 2010 at 11:00 AM, Maciej Stachowiak m...@apple.com wrote:
On Apr 22, 2010, at 10:27 AM, Mark S. Miller wrote:
On Wed, Apr 21, 2010 at 11:47 PM, Maciej Stachowiak m...@apple.com wrote:
That being said, I'm totally open to a name that conveys the same meaning
with less
On Mon, Apr 19, 2010 at 12:43 AM, Anne van Kesteren ann...@opera.comwrote:
Hopefully it helps calling out attention to this in a separate thread.
In
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0043.htmlMaciej
states Apple has no interest in implementing UMP from the UMP
On Thu, Apr 22, 2010 at 4:33 PM, Mark S. Miller erig...@google.com wrote:
[...] Caja parses a sanitized subset of HTML HTML5's tag soup algorithm.
Sorry. I meant
Caja parses a sanitized subset of HTML *using* HTML5's tag soup algorithm.
Fortunately, the typo has little bearing on the overall
On Tue, May 4, 2010 at 10:29 AM, Scott Wilson
scott.bradley.wil...@gmail.com wrote:
I've just been reading through the WARP spec again, and in particular this
stood out:
In the default policy, a user
agenthttp://www.w3.org/TR/widgets-access/#dfn-user-agent
*must* deny access
On Tue, May 4, 2010 at 2:45 PM, Jonas Sicking jo...@sicking.cc wrote:
If these were limited to Uniform Messages, how much of a need would there
still be to disallow them? What would the remaining threats be?
Would it allow reading resources behind corporate firewalls using a
browser
XML is also a misnomer. And HTTP is confusing since it also works over
https.
At least we agree on Request.
On Apr 21, 2010 12:24 PM, Maciej Stachowiak m...@apple.com wrote:
On Apr 21, 2010, at 8:57 AM, Anne van Kesteren wrote:
On Wed, 21 Apr 2010 23:37:54 +0900, Mark S...
I agree that
On Mon, May 10, 2010 at 4:05 AM, Anne van Kesteren ann...@opera.com wrote:
After considering the various names for constructing an XMLHttpRequest
object that when fetching would not expose the origin and user credentials I
decided to go with AnonXMLHttpRequest(). It was already in the draft as
On Wed, May 12, 2010 at 10:02 PM, Ian Hickson i...@hixie.ch wrote:
On Wed, 12 May 2010, Tyler Close wrote:
So HTML is not vulnerable to Cross-Site Scripting, C++ is not vulnerable
to buffer overflows and so CORS is not vulnerable to Confused Deputy.
Correct.
As explained above, CORS
On Wed, Jul 7, 2010 at 1:09 PM, Charlie Reis cr...@chromium.org wrote:
[...]
That's unfortunate-- at least for now, that prevents servers from echoing
the origin in the Access-Control-Allow-Origin header, so servers cannot host
public images that don't taint canvases. The same problem likely
On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow art.bars...@nokia.comwrote:
All,
Anne proposed WebApps publish a new WD of the CORS spec (last published in
March 2009):
http://dev.w3.org/2006/waf/access-control/
If you have any comments or concerns about this proposal, please send them
On Mon, Feb 13, 2012 at 12:08 PM, John J Barton johnjbar...@johnjbarton.com
wrote:
On Mon, Feb 13, 2012 at 11:44 AM, Ian Hickson i...@hixie.ch wrote:
On Thu, 17 Nov 2011, Joshua Bell wrote:
Wouldn't it be lovely if the Worker script could simply make a
synchronous call to fetch data
On Tue, Feb 14, 2012 at 11:32 AM, John J Barton johnjbar...@johnjbarton.com
wrote:
On Tue, Feb 14, 2012 at 11:14 AM, David Bruant bruan...@gmail.com wrote:
Le 14/02/2012 14:31, Arthur Barstow a écrit :
Another addition will be promises.
An already working example of promises can be found
On Wed, Feb 15, 2012 at 8:09 AM, John J Barton
johnjbar...@johnjbarton.comwrote:
On Tue, Feb 14, 2012 at 10:39 PM, Jonas Sicking jo...@sicking.cc wrote:
[...]
function doStuff() {
yieldUntil(x);
};
now what looks like perfectly safe innocent code:
function myFunction() {
...
On Wed, Feb 15, 2012 at 9:37 AM, Mark S. Miller erig...@google.com wrote:
On Wed, Feb 15, 2012 at 8:09 AM, John J Barton
johnjbar...@johnjbarton.com wrote:
On Tue, Feb 14, 2012 at 10:39 PM, Jonas Sicking jo...@sicking.cc wrote:
[...]
function doStuff() {
yieldUntil(x);
};
now
On Wed, Feb 15, 2012 at 9:37 AM, Mark S. Miller erig...@google.com wrote:
On Wed, Feb 15, 2012 at 8:09 AM, John J Barton
johnjbar...@johnjbarton.com wrote:
On Tue, Feb 14, 2012 at 10:39 PM, Jonas Sicking jo...@sicking.cc wrote:
[...]
function doStuff() {
yieldUntil(x);
};
now
I don't know anything about Gamepad. Could someone provide enough context
that I can understand the question? Thanks.
(Yes, I found https://dvcs.w3.org/hg/gamepad/raw-file/default/gamepad.htmlby
googling. It's not what I need.)
On Tue, Apr 29, 2014 at 10:16 AM, Brendan Eich
How would either make GC observable?
On Tue, Apr 29, 2014 at 10:45 AM, Brandon Jones bajo...@google.com wrote:
On Tue Apr 29 2014 at 10:24:48 AM, Mark S. Miller erig...@google.com
wrote:
I don't know anything about Gamepad. Could someone provide enough context
that I can understand
On Tue, Apr 29, 2014 at 11:07 AM, Boris Zbarsky bzbar...@mit.edu wrote:
On 4/29/14, 1:46 PM, Mark S. Miller wrote:
How would either make GC observable?
Consider the following code:
navigator.getGamepads()[0].foo = 5;
var intervals = 0;
var id = setInterval(function
I would like to see us take a principled stance on resource exhaustion
errors in ES7. This includes both stack and heap, and both space and time.
For example, the browser behavior on terminating a turn that takes too long
and proceeding silently to the next turn leaves arbitrary invariants
broken.
74 matches
Mail list logo
