ISSUE-108: confused deputy problem
confused deputy problem
- State:
- CLOSED
- Product:
- HISTORICAL: CORS [this spec uses Bugzilla for Bug/Issue tracking http://tinyurl.com/Bugz-CORS]
- Raised by:
- Anne van Kesteren
- Opened on:
- 2009-11-02
- Description:
- See http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1324.html and follow up. Also see minutes of Santa Clara F2F.
- Related Actions Items:
ACTION-442 on Mark Miller to Make a worked example of how e.g. GuestXHR would meet the requirements with improved security - due 2009-11-11, closed- Related emails:
- Re: CfC: CORS to advance to Last Call (from art.barstow@nokia.com on 2011-12-20)
- Re: CORS & ISSUE-108 (from dpranke@chromium.org on 2010-11-23)
- Re: CORS & ISSUE-108 (from tyler.close@gmail.com on 2010-11-23)
- CORS & ISSUE-108 (from annevk@opera.com on 2010-11-17)
- Re: [UMP] Request for Last Call (from tyler.close@gmail.com on 2010-04-19)
- Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] (from tyler.close@gmail.com on 2010-04-08)
- Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] (from Art.Barstow@nokia.com on 2010-04-08)
- Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] (from annevk@opera.com on 2010-04-07)
- CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] (from art.barstow@nokia.com on 2010-04-07)
- [CORS] ISSUE-108: confused deputy problem (from art.barstow@nokia.com on 2009-11-05)
- ISSUE-108: confused deputy problem [CORS] (from sysbot+tracker@w3.org on 2009-11-02)
Related notes:
During the 2009-11 f2f, this issue was articulated as, "Is there an obvious way to use CORS that introduces a risk of confused deputy attacks or other security risks?" see http://www.w3.org/2009/11/02-webapps-minutes.html#item03Michael[tm] Smith, 2 Nov 2009, 22:47:10
CORS is now a REC and part of WebAppSecWG.
Arthur Barstow, 18 Oct 2015, 13:29:20Display change log