Re: [whatwg/fetch] Listing headers safe only for certain values is a bad idea (#313) from John Wilander on 2016-09-09 (public-webapps-github@w3.org from September 2016)

From: John Wilander <notifications@github.com>
Date: Fri, 09 Sep 2016 14:04:55 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/313/246039534@github.com>

@sicking I think we are misunderstanding each other. I'm solely talking about simple, non-preflight CORS request headers.

Currently there are three such header values that are not restricted beyond field-content token production, namely Accept, Accept-Language, and Content-Language. This means all web servers have to have solid input validation for these headers since any page on the web can send those headers to them in CORS requests.

Yes, any piece of software capable of sending HTTP requests can send arbitrary headers to servers. But CORS requests can be leveraged in CSRF attacks against intranets or local services that a remote attacker cannot reach from his/her computer.

We'd like to discuss browser restriction of Accept, Accept-Language, and Content-Language values in simple CORS since RFC 7231 does restrict them, i.e. they are well-defined.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/313#issuecomment-246039534

Received on Friday, 9 September 2016 21:05:26 UTC