On Thu, 08 Oct 2009 18:07:29 +0200, Mark S. Miller <erig...@google.com>
wrote:
The core criticism that several of us have raised about CORS has never
been addressed -- that it creates further confused deputy problems.
Rather than addressing the "first order" confused deputy problem of
CSRF, it merely postpones it one level, creating second order confused
deputy problems. See Tyler's example.
I'd appreciate a pointer.
I was wondering if the TAG considers this item closed or wishes to know
something more, in which case I'd like to hear about it! I'm trying to
wrap
up email threads and this is one of them. Thanks!
If the confused deputy problems created by CORS have already been
addressed, I'd like to hear about that. Did I miss part of the thread?
PS: The remainder of this thread about redirects and CSRF is being taken
care of by updates to both CORS and the Origin header draft Adam is
working
on. In short Origin will most likely become a space-separated list
revealing
the entire request chain.
Please go back and read "Origin isn't". The redirect problem Tyler
pointed out was merely a symptom of a deeper problem. Tyler was able
to identify this symptom because he does not regard the underlying
problem as merely theoretical. The Origin list "solution" is curing
the symptom only.
I'm not sure what you are referring to, but I thought all outstanding
issues were dealt with to be honest. (Or ended in agreed to disagree.) If
there are still problems it would help me if they were made more concrete.
"confused deputy" does not help me much because I don't see the problem
you are seeing.
--
Anne van Kesteren
http://annevankesteren.nl/
