- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 01 Oct 2008 16:24:34 -0700
- To: Webapps WG <public-webapps@w3.org>
Hi All, I think it would be good if we more explicitly could define the two, with cookies vs. without cookies, security modes for Access-Control. Right now the spec talks about the with-credentials flag either being true or false, however it doesn't really receive as much attention as for example simple vs. preflighted requests. I think we should make this a bit more explicit for a couple of reasons: First of all requests without credentials have vastly different security considerations than requests with credentials. Basically every server on the Internet could add an Access-Control-Allow-Origin: * header without being concerned about security. It could even always echo back the Access-Control-Request-Method/Access-Control-Request-Headers as Access-Control-Allow-Methods/Access-Control-Allow-Headers still without adding any extra risk around security. The reason for this is that this would just result in requests and data disclosure that can already happen on the web today, server-to-server. Once you add credentials to the requests though you have to be much more careful not to leak user private information, that you don't allow operations that require authorization to happen, etc. Second, it would allow implementations such as Microsofts XDR (if they end up supporting Access-Control) to more precisely talk about which parts of the spec they use. One way to talk about this is as requests for public versus private resources. This is definitely something we should talk about in the Security Considerations section (which in general seems to be missing a part about servers). We should also talk about it in the Processing Model section. Let me know what you think. / Jonas
Received on Wednesday, 1 October 2008 23:27:15 UTC