Re: [fetch] Update Access-Control-Allow-Headers CORS response header to allow * (allow-all) (#251) from Craig Francis on 2016-03-22 (public-webapps-github@w3.org from March 2016)

From: Craig Francis <notifications@github.com>
Date: Tue, 22 Mar 2016 11:13:24 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/251/199946808@github.com>

@roryhewitt, in summary, don't worry about the security side when adding wildcard support to:

 Access-Control-Allow-Headers: *
 Access-Control-Allow-Methods: *

In regards to your [second comment](#issuecomment-199903830), if `Access-Control-Allow-Headers: *` is specified for the request, the browser should ignore/reject a wildcard if the Credentials (e.g. cookies) were sent, in the same way it currently does for `Access-Control-Allow-Origin`.

---

Or in more detail; today, if a server responds with:

 Access-Control-Allow-Origin: *

The browsers will normally handle this as you would expect (as a wildcard), but they will reject it when requesting a resource with `.withCredentials = true`.

For any website that wants to allow this behaviour (which is where the security risk comes in), they will *need* to replace the wildcard with a proper Origin, and provide the `Access-Control-Allow-Credentials` header as well, e.g.

 Access-Control-Allow-Origin: http://www.example.com
 Access-Control-Allow-Credentials: true

So if we used the same logic with all 3 of these headers, then a response that contains the following should be fine:

 Access-Control-Allow-Origin: *
 Access-Control-Allow-Headers: *
 Access-Control-Allow-Methods: *

You can try this yourself with the following JS, which will only work if the full Origin/Credentials headers are sent from the remote website:

 httpRequest = new XMLHttpRequest();
 httpRequest.onreadystatechange = function() {
  if (httpRequest.readyState === XMLHttpRequest.DONE) {
   if (httpRequest.status === 200) {
    console.log(httpRequest.responseText);
   } else {
    alert('There was a problem with the request.');
   }
  }
 }
 httpRequest.withCredentials = true
 httpRequest.open('GET', 'http://www.example.com/secure-page', true);
 httpRequest.send(null);

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/251#issuecomment-199946808

Received on Tuesday, 22 March 2016 18:13:52 UTC