Re: CfC: to publish new WD of CORS; deadline July 20

[Anne van Kesteren]

On Tue, 13 Jul 2010 17:50:26 +0200, Mark S. Miller erig...@google.com  
wrote:
Has anyone been working towards a revised Security Considerations  
section?


Your Google colleague Dirk has volunteered but I believe has not yet had  
the time unfortunately.



--
Anne van Kesteren
http://annevankesteren.nl/

Re: CfC: to publish new WD of CORS; deadline July 20

[Dirk Pranke]

That is correct (both that I volunteered and that I have not had time).

I find myself home-bound for a couple days so I should be able to get
something out to Anne for feedback by the end of the week.

Apologies to all for the delay,

-- Dirk

On Wed, Jul 14, 2010 at 3:48 AM, Anne van Kesteren ann...@opera.com wrote:
 On Tue, 13 Jul 2010 17:50:26 +0200, Mark S. Miller erig...@google.com
 wrote:

 Has anyone been working towards a revised Security Considerations section?

 Your Google colleague Dirk has volunteered but I believe has not yet had the
 time unfortunately.


 --
 Anne van Kesteren
 http://annevankesteren.nl/

Re: CfC: to publish new WD of CORS; deadline July 20

[Mark S. Miller]

On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow art.bars...@nokia.comwrote:

 All,

 Anne proposed WebApps publish a new WD of the CORS spec (last published in
 March 2009):

  http://dev.w3.org/2006/waf/access-control/

 If you have any comments or concerns about this proposal, please send them
 to public-webapps by July 20 at the latest.

 As with all of our CfCs, positive response is preferred and encouraged and
 silence will be assumed to be assent.

 -Art Barstow



Hi Art,

Just a reminder that the Security Consider sections 
http://dev.w3.org/2006/waf/access-control/#security needs to say more. Our
last discussion of it at 
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0709.html
left the issue with:


For example, will the Security Considerations
section of CORS have to say:
   
It is not safe in CORS to make a GET request for public data using a
URL obtained from a possibly malicious party. Validating the URL
requires global knowledge of all origins that might grant special
access to the requestor's origin, and so return private user data.

   Yes, one would imagine saying something quite similar to that.

[...]

   I am attempting to highlight that neither solution is a panacea, and
   that you need to be aware of the limitations of either approach. The
   UMP Security Considerations section has a long list of SHOULDs that
   need to be followed in order for the approach to be secure, just as
   the HTTP-State draft does, and just as the CORS spec should.


Has anyone been working towards a revised Security Considerations section?

-- 
Cheers,
--MarkM

Re: CfC: to publish new WD of CORS; deadline July 20

[Charles McCathieNevile]

On Tue, 13 Jul 2010 15:50:46 +0200, Arthur Barstow art.bars...@nokia.com  
wrote:



All,

Anne proposed WebApps publish a new WD of the CORS spec (last published  
in March 2009):


Yes please...

cheers

--
Charles McCathieNevile  Opera Software, Standards Group
je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals   Try Opera: http://www.opera.com