On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:
Sending the user's cookies, as AC4CSR does, is just not a viable design, since the target resource cannot determine whether or not the user consented to the request. I've posted several explanations of the attacks enabled by this use of ambient authority, and, in my opinion, the issues are still outstanding. The use of ambient authority in AC4CSR is a show-stopper, as reflected in the decision Mozilla announced on this mailing list.
Can you please post these examples again, or pointers to where you posted them? I believe they have not been previously seen on the Web API list. A number of people have mentioned that the AC approach to cross-site XHR is insecure (or that XDR is somehow more secure), but I have not yet seen any examples of specific attacks. I would love to see this information. If I do not see a description of a specific attack soon I will assume these claims are just FUD.
Note also that sending of cookies is not an essential feature of AC4CSR; certainly it could be a viable spec with that feature removed. Do you believe there are any other showstopper issues?
Regards, Maciej
