Maciej Stachowiak wrote: > On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote: > > > > > Sending the user's cookies, as AC4CSR does, is just not a viable > > design, since the target resource cannot determine whether or not > > the user consented to the request. I've posted several explanations > > of the attacks enabled by this use of ambient authority, and, in my > > opinion, the issues are still outstanding. The use of ambient > > authority in AC4CSR is a show-stopper, as reflected in the decision > > Mozilla announced on this mailing list. > > Can you please post these examples again, or pointers to where you > posted them? I believe they have not been previously seen on the Web > API list.
I've written several messages to the appformats mailing list. I suggest reading all of them. The most detailed description of the attacks are in the message at: http://www.w3.org/mid/[EMAIL PROTECTED] with a correction at: http://www.w3.org/mid/[EMAIL PROTECTED] > A number of people have mentioned that the AC approach to > cross-site XHR is insecure (or that XDR is somehow more secure), but I > have not yet seen any examples of specific attacks. I would love to > see this information. If I do not see a description of a specific > attack soon I will assume these claims are just FUD. I think we've met before at a SHDH event. That was a more pleasant conversation. Hopefully, we'll be able to regain that tone. > Note also that sending of cookies is not an essential feature of > AC4CSR; certainly it could be a viable spec with that feature removed. > Do you believe there are any other showstopper issues? Possibly. There is a lot of complexity in the AC4CSR proposal. I've been writing about the most severe things as I find them. --Tyler
