Re: IE Team's Proposal for Cross Site Requests

On 2008-03-17 19:52:18 -0700, Sunava Dutta wrote:

> The Access-Control spec notes that:

>       Authors are to ensure that GET requests on their
>       applications have no side effects. If by some means an
>       attacker finds out what applications a user is associated
>       with, it might "attack" these applications with GET
>       requests that can effect [sic] the user's data (if the user
>       is already authenticated with any of these applications by
>       means of cookies or HTTP authentication).

> I'm concerned that this note suggests that the spec fails to meet
> its own requirement #2:

>       Must not require content authors or site maintainers to
>       implement new or additional security protections to
>       preserve their existing level of security protection.

> ...As cookies and HTTP authentication are commonly used security
> protections yet they are sent by cross-origin requests.  CSRF is
> already a growing problem in the wild, and the Access-Control
> mechanism requires that web developers understand extremely
> subtle aspects of the security model to keep their sites secure.

I'm not sure how subtle the GET vs POST aspect really is -- after
all, Web developers who use GET with side effects without employing 
mitigating techniques will already expose themselves to:

- any clients or proxies that assume that GET is idempotent

- attackers' ability to place pretty arbitrary GET requests with
  HTTP authentication headers and cookies, cross-site

That's not new, and it's not made worse in any significant way by
the access-control spec.

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 18 March 2008 08:25:05 UTC