- From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Date: Fri, 10 Oct 2014 16:59:22 +0200
- To: public-hydra@w3.org
Hi all! So, I discovered there were some points that I hadn't responded to. Markus wrote way back: > Access-Control-Allow-Origin is not about authentication... thus I'm > actually a bit confused what you are discussing here. Access-Control- > Allow-Origin is about allowing browsers to access resources on other > servers. Right. I was refering to some of the attacks that is made possible by CORS, as far as I have understood it. If someone puts up a TPF server on an Intranet containing information not meant for outsiders, and this has a CORS header allowing anybody, an attacker could access this information if they can trick an internal user who has authenticated to access the Internet resource to execute a script that cross-origin-shares the secret information... Such attacks are discussed in the CORS spec, perhaps this resource is better to understand it: http://resources.infosecinstitute.com/demystifying-html-5-attacks/ Or it may of course be that I haven't understood the attack, but personally, I'd be very cautious about adding CORS to private resources, and * I would certainly never add to anything that weren't meant for the public Internet. So, you could of course say that TPFs are *just* for the public Internet, but I think that would be a mistake. Cheers, Kjetil
Received on Friday, 10 October 2014 14:59:59 UTC