W3C home > Mailing lists > Public > public-web-security@w3.org > February 2013

Re: CORS question

From: Brandon Sterne <brandon@hackmill.com>
Date: Tue, 5 Feb 2013 14:46:26 -0800
Message-ID: <CADXmT7ABGiiHvCwZSqJKNX2A+_uDX0wRH=K9f_3oG14ePhGLhQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Thanks, Brad.  That answers my question.

Cheers,
Brandon


On Tue, Feb 5, 2013 at 2:37 PM, Hill, Brad <bhill@paypal-inc.com> wrote:

>  Brandon,****
>
> ** **
>
> The requirement is that CORS does not introduce any new Cross-Site Request
> Forgery attack capabilities not present in legacy user agents.  Therefore,
> all requests that cannot be generated by pre-CORS user agents through
> methods like GET, POST and HEAD that are available through legacy HTML+JS
> must be anonymous or pre-authorized.****
>
> ** **
>
> The user agent should not send requests with credentials on non-simple
> HTTP methods unless and until the server indicates it is prepared to accept
> such by responding to the pre-flight request.****
>
> ** **
>
> Does this answer your question?****
>
> ** **
>
> -Brad****
>
> ** **
>
> *From:* brandon.sterne@gmail.com [mailto:brandon.sterne@gmail.com] *On
> Behalf Of *Brandon Sterne
> *Sent:* Tuesday, February 05, 2013 1:38 PM
> *To:* public-web-security@w3.org
> *Subject:* CORS question****
>
> ** **
>
> Hey guys,
>
> Co-workers of mine were trying to understand the treat model of CORS, and
> I was having trouble articulating some of the particular risks that the
> spec attempts to avoid.  Why does the OPTIONS pre-flight request never
> carry credentials?****
>
> Thanks,
> Brandon****
>
Received on Tuesday, 5 February 2013 22:46:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2013 22:46:54 GMT