On Thu, Nov 5, 2009 at 9:59 PM, Maciej Stachowiak wrote:
>
> Hi Tyler,
>
> On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:
>
>> Closing remark:
>>
>> In another thread, you've written "I do think that a way to do an
>> anonymous XHR is justified", so I don't know how much sense it makes
>> to conti
On Nov 5, 2009, at 6:04 PM, Devdatta wrote:
Hi Maciej,
Read
If the resource is owned by the domain specified by Origin,
return
the data.
.
CrossDomainCopydomain>
I don't understand the aim of the whole protocol you have outlined
above.
I'm sorry, I outlined it in a p
Hi Tyler,
On Nov 5, 2009, at 5:48 PM, Tyler Close wrote:
Closing remark:
In another thread, you've written "I do think that a way to do an
anonymous XHR is justified", so I don't know how much sense it makes
to continue this thread. You put so much effort into this email that I
felt I owed yo
Hi Maciej,
>
> Read
> If the resource is owned by the domain specified by Origin, return
> the data.
>
.
> CrossDomainCopy
>
I don't understand the aim of the whole protocol you have outlined above.
Are you saying CORS should be rewritten to directly support such a design ?
or Is
Hi Maciej,
Responses inline below...
On Wed, Nov 4, 2009 at 9:36 PM, Maciej Stachowiak wrote:
>
> On Nov 3, 2009, at 5:33 PM, Tyler Close wrote:
>> On Mon, Oct 12, 2009 at 7:19 AM, Maciej Stachowiak wrote:
>>>
>>> As a side note, I should add that Tyler's scenario would be much simpler
>>> over
I was just catching up on email and thought it might be useful to
respond to this one even though it's a couple weeks old now, since in
general the group seems to want more examples.
On Mon, Oct 12, 2009 at 7:19 AM, Maciej Stachowiak wrote:
> As a side note, I should add that Tyler's scenario wou
On Sat, 24 Oct 2009 19:07:24 +0200, Adam Barth wrote:
On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood
wrote:
The specific risk is quite clear: it's the risk of CSRF attacks that
are currently prevented (or mitigated) by the same-origin policy.
These won't be prevented or mitigated to the
|
|>
| Subject: |
|>
>-------
Hi, Maciej-
Maciej Stachowiak wrote (on 10/24/09 4:42 PM):
On Oct 24, 2009, at 10:03 AM, Adam Barth wrote:
On Fri, Oct 23, 2009 at 10:34 PM, Doug Schepers mailto:schep...@w3.org>> wrote:
Sorry for being dense, but why couldn't the whitehats build toy
systems on an open honeynet?
I suspect
On Oct 24, 2009, at 10:03 AM, Adam Barth wrote:
On Fri, Oct 23, 2009 at 10:34 PM, Doug Schepers
wrote:
Sorry for being dense, but why couldn't the whitehats build toy
systems on
an open honeynet?
They could, but what would we learn from such an experiment? If they
build only secure syst
Hi, David-Sarah-
David-Sarah Hopwood wrote (on 10/24/09 2:07 AM):
Currently, the prevalence and impact of CSRF attacks is limited to some
extent by the same-origin restrictions. The adoption of CORS will remove
part of that limitation. This should be expected to result in more sites
that rely o
On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood
wrote:
> The specific risk is quite clear: it's the risk of CSRF attacks that
> are currently prevented (or mitigated) by the same-origin policy.
> These won't be prevented or mitigated to the same extent by browsers
> that implement CORS.
The
On Fri, Oct 23, 2009 at 10:34 PM, Doug Schepers wrote:
> Sorry for being dense, but why couldn't the whitehats build toy systems on
> an open honeynet?
They could, but what would we learn from such an experiment? If they
build only secure systems, then we'd learn that security experts can
build
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
David-Sarah Hopwood wrote:
> Doug Schepers wrote:
>> I'm not at all a security expert, or even particularly
>> well-informed on the topic, but it does occur to me that most of
>> CORS' opponents seem very much in the capability-based security
>> cam
Hi, David-Sarah-
David-Sarah Hopwood wrote (on 10/24/09 2:45 AM):
Doug Schepers wrote:
I'm not at all a security expert, or even particularly well-informed on
the topic, but it does occur to me that most of CORS' opponents seem
very much in the capability-based security camp [1], and may dis
Doug Schepers wrote:
> I'm not at all a security expert, or even particularly well-informed on
> the topic, but it does occur to me that most of CORS' opponents seem
> very much in the capability-based security camp [1], and may distrust or
> dislike something more "authentication-based" like CORS.
Doug Schepers wrote:
> Jonathan Rees wrote (on 10/23/09 5:04 PM):
>>
>> The brief summary of the debate is that Mark M is citing Tyler's
>> argument, and Mark's and Tyler's long experience with this kind of
>> thing, in predicting that any system with the currently described CORS
>> architecture wi
Hi, Adam-
Thanks for the reply.
Adam Barth wrote (on 10/24/09 1:00 AM):
On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers wrote:
That's an interesting point... if the proponents or opponents of CORS did
more testing and modeling, would that satisfy concerns? Surely it couldn't
be hard to set
On Fri, Oct 23, 2009 at 5:29 PM, Doug Schepers wrote:
> That's an interesting point... if the proponents or opponents of CORS did
> more testing and modeling, would that satisfy concerns? Surely it couldn't
> be hard to set up a few common model architectures using CORS and announce
> them as tar
Hi, Jonathan-
Jonathan Rees wrote (on 10/23/09 5:04 PM):
Thanks for putting the situation in these terms; I like the form of
this analysis, even if am not sure I agree with the conclusion.
Thanks, I hope it helped.
The brief summary of the debate is that Mark M is citing Tyler's
argument,
Comments below
On Thu, Oct 22, 2009 at 6:12 PM, Doug Schepers wrote:
> Let's take it a step further, and propose a worst-case scenario. Say that
> some undetected hypothetical vulnerability in CORS is discovered some years
> from now, with a degree of severity akin to CSRF.
>
> At that time, we
Hi, Folks-
Maciej Stachowiak wrote (on 10/13/09 10:47 PM):
On Oct 13, 2009, at 5:31 PM, Mark S. Miller wrote:
2) How well do cross-origin cookies support the simple use cases of
cross-origin
resource sharing?
As we all now know, many simple use cases are supported well by
cross-origin cookie
On Oct 13, 2009, at 5:31 PM, Mark S. Miller wrote:
On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth
wrote:
[...] We should concentrate on the following questions:
1) Does CORS introduce security vulnerabilities into legacy servers
that are unaware of the CORS protocol?
2) How well does CORS sup
On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth wrote:
> [...] We should concentrate on the following questions:
>
> 1) Does CORS introduce security vulnerabilities into legacy servers
> that are unaware of the CORS protocol?
> 2) How well does CORS support the simple use cases of cross-origin
> reso
On Oct 13, 2009, at 1:49 AM, ext Adam Barth wrote:
If this is not access control, I must ask: what do you mean by
"access control"?
I'm not sure the abstract question of whether CORS is an access
control system is that meaningful. We should concentrate on the
following questions:
1) Does CO
On Mon, Oct 12, 2009 at 8:24 PM, Mark S. Miller wrote:
> Most obviously, CORS proposes ACLs, with comma separated origins
> (following an Origin: header) to be used by servers to determine
> whether to grant read/PUT/DELETE access to cross-origin resources.
The CORS spec doesn't require servers t
On Sun, Oct 11, 2009 at 11:36 PM, Anne van Kesteren wrote:
> The concern seems to be mostly about CORS being an access control system.
Yes.
> I'm not entirely sure that is justified (though the headers are indeed
> confusingly named, mea culpa). All CORS does is allowing cross-origin
> resource
On Oct 12, 2009, at 7:04 AM, Maciej Stachowiak wrote:
On Oct 9, 2009, at 4:36 PM, Mark S. Miller wrote:
The last of the links above should make the application to CORS
concrete. See also the dismissive replies which followed in that
thread. If you find these dismissals plausible, please ima
On Oct 9, 2009, at 4:36 PM, Mark S. Miller wrote:
The last of the links above should make the application to CORS
concrete. See also the dismissive replies which followed in that
thread. If you find these dismissals plausible, please imagine back to
the world in which CSRF was first diagnosed
On Mon, 12 Oct 2009 14:50:07 +0200, Jonathan Rees
wrote:
If access to resources weren't controlled (i.e. secure in the face of
realistic risks), why would you deploy the feature?
The feature is there to enable resources talking to each other in
cross-origin fashion in a way that does not co
On Mon, Oct 12, 2009 at 2:36 AM, Anne van Kesteren wrote:
> On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller
> wrote:
>>
>> The last of the links above should make the application to CORS
>> concrete. See also the dismissive replies which followed in that
>> thread. If you find these dismissals
On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller
wrote:
The last of the links above should make the application to CORS
concrete. See also the dismissive replies which followed in that
thread. If you find these dismissals plausible, please imagine back to
the world in which CSRF was first dia
On Thu, Oct 8, 2009 at 9:16 AM, Anne van Kesteren wrote:
> On Thu, 08 Oct 2009 18:07:29 +0200, Mark S. Miller
> wrote:
>>
>> The core criticism that several of us have raised about CORS has never
>> been addressed -- that it creates further confused deputy problems.
>> Rather than addressing the
On Thu, 08 Oct 2009 18:07:29 +0200, Mark S. Miller
wrote:
The core criticism that several of us have raised about CORS has never
been addressed -- that it creates further confused deputy problems.
Rather than addressing the "first order" confused deputy problem of
CSRF, it merely postpones it o
34 matches
Mail list logo
