W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

[AC] Defining cookieless requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 01 Oct 2008 16:24:34 -0700
Message-ID: <48E406B2.4050104@sicking.cc>
To: Webapps WG <public-webapps@w3.org>

Hi All,

I think it would be good if we more explicitly could define the two, 
with cookies vs. without cookies, security modes for Access-Control.

Right now the spec talks about the with-credentials flag either being 
true or false, however it doesn't really receive as much attention as 
for example simple vs. preflighted requests.

I think we should make this a bit more explicit for a couple of reasons:

First of all requests without credentials have vastly different security 
considerations than requests with credentials. Basically every server on 
the Internet could add an
Access-Control-Allow-Origin: *
header without being concerned about security. It could even always echo 
back the Access-Control-Request-Method/Access-Control-Request-Headers as 
Access-Control-Allow-Methods/Access-Control-Allow-Headers still without 
adding any extra risk around security.

The reason for this is that this would just result in requests and data 
disclosure that can already happen on the web today, server-to-server.

Once you add credentials to the requests though you have to be much more 
careful not to leak user private information, that you don't allow 
operations that require authorization to happen, etc.

Second, it would allow implementations such as Microsofts XDR (if they 
end up supporting Access-Control) to more precisely talk about which 
parts of the spec they use.

One way to talk about this is as requests for public versus private 
resources. This is definitely something we should talk about in the 
Security Considerations section (which in general seems to be missing a 
part about servers). We should also talk about it in the Processing 
Model section.

Let me know what you think.

/ Jonas
Received on Wednesday, 1 October 2008 23:27:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC