On Jan 12, 2010, at 12:29 PM, Adam Barth wrote:
On Tue, Jan 12, 2010 at 10:51 AM, Tyler Close
<[email protected]> wrote:
It's not feasible to remove all ambient authority. For example, the
client has the authority to send requests from its IP address. So we
draw a line between network connectivity and issued credentials.
Proxy
credentials provide network connectivity.
Also, as a practical matter, disallowing Proxy-Authorization might
inhibit use of UMP, since a resource author would be concerned about
the loss of users who are required to use a proxy.
RIght, this is the essential point: whether we should remove a piece
of ambient authority is a risk management decision. Instead of
dogmatically stomping out all forms of ambient authority, we ought to
weigh the costs of removing the authority (in this case compatibility
issues with existing proxy deployments) with the benefits (greater
resilience to a class of vulnerabilities).
The reason we have different beliefs about whether CORS or UMP is a
better protocol is because we perceve the risks and rewards
differently. Ultimately, authors are in a better position to weigh
these factors than we are, which is why we should provide both APIs.
+1
- Maciej
