Re: Opting in to cookies - proposal from Maciej Stachowiak on 2008-06-19 (public-webapps@w3.org from April to June 2008)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 19 Jun 2008 14:54:29 -0700
To: Jon Ferraiolo <jferrai@us.ibm.com>
Cc: Jonas Sicking <jonas@sicking.cc>, public-webapps@w3.org
Message-Id: <55B60C6A-221B-4B67-BF96-FAC1D95F5A7A@apple.com>

On Jun 19, 2008, at 2:36 PM, Jon Ferraiolo wrote:

> >
> > Maciej Stachowiak wrote:
> > >
> > >
> > > On Jun 14, 2008, at 4:23 AM, Jonas Sicking wrote:
>
> ...snip...
>
> >
> > > I mean, I guess
> > > it's possible people will do this, but people could add
> > > "Access-Control-Allow-Credentials" site-wide too. And if we add
> > > "Access-Control-Allow-Credentials-I-Really-Mean-It", they'll add  
> even more.
> >
> > Yes, this is certainly a possibility. But my hope is that this will
> > happen to a smaller extent.
> >
>
> I share the hope "smaller extent" hope with Jonas, and his latest  
> proposals look good to me.
>
> My assumption is that 99% of all cross-site XHR usage will not  
> require credentials/cookies. Therefore, what makes sense is a simple  
> way that server developers can opt-in to credential-free cross-site  
> XHR which tells the browser to allow cross-site credential-free XHR  
> to their site. Then, in an advanced section of the AC spec, talk  
> about how some workflows might want credentials to be sent, and here  
> is the extra header to enable credentials (Access-Control-Allow- 
> Credentials), but this section of the spec should include SHOUTING  
> TEXT about potential dangers and instruct the developer that he  
> should not enable transmission of credentials unless he is sure that  
> he needs it and he is sure that he knows what he is doing (such as  
> understanding what a CSRF attack is). I realize that some developers  
> won't read the spec carefully or notice the shouting text, but I  
> expect most tutorials and examples on the Web will follow the lead  
> from the spec and help to teach people steer clear of the Access- 
> Control-Allow-Credentials header unless they know what they are doing.
>

Web developers don't read specs, they cut & paste. I think my  
alternate proposal of using different header names (also suggested in  
Microsoft's whitepaper) is actually safer against accidentally  
enabling cookies, since a cut & paste error is unlikely to make you  
process cookies that come under a different header name.

I am not sure you are right that 99% of uses for cross-site XHR won't  
require credentials. Any such uses can be handled now on the server  
side. Cross-site data mixing with credentials done in a secure way is  
one of the biggest true new capabilities that would be offered.

Regards,
Maciej

Received on Thursday, 19 June 2008 21:55:13 UTC