Hi, Adam-
Thanks for the reply.
Adam Barth wrote (on 10/24/09 1:00 AM):
On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers<schep...@w3.org> wrote:
That's an interesting point... if the proponents or opponents of CORS did
more testing and modeling, would that satisfy concerns? Surely it couldn't
be hard to set up a few common model architectures using CORS and announce
them as targets for the white hat community?
Mind you, I'm not stating one way or the other that this should be part of
the exit criteria for CORS, just that it would be helpful overall, and
frankly, if it hasn't been tried, I'm a little surprised... isn't this
*exactly* the sort of thing Google, MS, the browser vendors, and the
security community at large have the resources and expertise to do, as well
as the incentive? Can a brother get a honeypot?
This issues that Mark and co raise are not really the kinds of things
one can evaluate with a honeypot-type contest. They're worried about
what web developers will build if we give them CORS as a tool.
Sorry for being dense, but why couldn't the whitehats build toy systems
on an open honeynet?
Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs