RE: CORS question from Hill, Brad on 2013-02-05 (public-web-security@w3.org from February 2013)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 5 Feb 2013 22:37:54 +0000
To: Brandon Sterne <brandon@hackmill.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27910AA1@DEN-EXDDA-S12.corp.ebay.com>

Brandon,

The requirement is that CORS does not introduce any new Cross-Site Request Forgery attack capabilities not present in legacy user agents.  Therefore, all requests that cannot be generated by pre-CORS user agents through methods like GET, POST and HEAD that are available through legacy HTML+JS must be anonymous or pre-authorized.

The user agent should not send requests with credentials on non-simple HTTP methods unless and until the server indicates it is prepared to accept such by responding to the pre-flight request.

Does this answer your question?

-Brad

From: brandon.sterne@gmail.com [mailto:brandon.sterne@gmail.com] On Behalf Of Brandon Sterne
Sent: Tuesday, February 05, 2013 1:38 PM
To: public-web-security@w3.org
Subject: CORS question

Hey guys,

Co-workers of mine were trying to understand the treat model of CORS, and I was having trouble articulating some of the particular risks that the spec attempts to avoid.  Why does the OPTIONS pre-flight request never carry credentials?
Thanks,
Brandon

Received on Tuesday, 5 February 2013 22:38:23 UTC