On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow <art.bars...@nokia.com>wrote:
> All, > > Anne proposed WebApps publish a new WD of the CORS spec (last published in > March 2009): > > http://dev.w3.org/2006/waf/access-control/ > > If you have any comments or concerns about this proposal, please send them > to public-webapps by July 20 at the latest. > > As with all of our CfCs, positive response is preferred and encouraged and > silence will be assumed to be assent. > > -Art Barstow > Hi Art, Just a reminder that the Security Consider sections < http://dev.w3.org/2006/waf/access-control/#security> needs to say more. Our last discussion of it at < http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0709.html> left the issue with: > For example, will the Security Considerations > section of CORS have to say: > > "It is not safe in CORS to make a GET request for public data using a > URL obtained from a possibly malicious party. Validating the URL > requires global knowledge of all origins that might grant special > access to the requestor's origin, and so return private user data." Yes, one would imagine saying something quite similar to that. [...] I am attempting to highlight that neither solution is a panacea, and that you need to be aware of the limitations of either approach. The UMP "Security Considerations" section has a long list of SHOULDs that need to be followed in order for the approach to be secure, just as the HTTP-State draft does, and just as the CORS spec should. Has anyone been working towards a revised Security Considerations section? -- Cheers, --MarkM