On Tue, Jul 13, 2010 at 6:50 AM, Arthur Barstow art.bars...@nokia.comwrote:
All,
Anne proposed WebApps publish a new WD of the CORS spec (last published in
March 2009):
http://dev.w3.org/2006/waf/access-control/
If you have any comments or concerns about this proposal, please send them
to public-webapps by July 20 at the latest.
As with all of our CfCs, positive response is preferred and encouraged and
silence will be assumed to be assent.
-Art Barstow
Hi Art,
Just a reminder that the Security Consider sections
http://dev.w3.org/2006/waf/access-control/#security needs to say more. Our
last discussion of it at
http://lists.w3.org/Archives/Public/public-webapps/2010AprJun/0709.html
left the issue with:
For example, will the Security Considerations
section of CORS have to say:
It is not safe in CORS to make a GET request for public data using a
URL obtained from a possibly malicious party. Validating the URL
requires global knowledge of all origins that might grant special
access to the requestor's origin, and so return private user data.
Yes, one would imagine saying something quite similar to that.
[...]
I am attempting to highlight that neither solution is a panacea, and
that you need to be aware of the limitations of either approach. The
UMP Security Considerations section has a long list of SHOULDs that
need to be followed in order for the approach to be secure, just as
the HTTP-State draft does, and just as the CORS spec should.
Has anyone been working towards a revised Security Considerations section?
--
Cheers,
--MarkM