W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 22 Jun 2009 13:16:12 -0700
Message-ID: <5691356f0906221316w5a8180a8vc1f06ebf4a417517@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 12:33 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Mon, Jun 22, 2009 at 11:30 AM, Tyler Close<tyler.close@gmail.com> wrote:
>> It appears to me that almost all
>> the complexity of CORS comes from its attempt to protect resources
>> that rely solely on IP-based authentication.
>
> I'm not sure this is the case.  I think the reasoning goes like this:
>
> 1) We can't strip all the credential information from cross-origin requests.
> 2) There's a large amount of value is supporting all the normal
> credentials associated with HTTP requests.
> 3) Given (1), we have to deal with the credential issue.  Given (2),
> we get a large benefit from from supporting all kinds of credentials.
> 4) Given (3), some folks have made a judgement call that value of
> supporting credentials is worth the complexity.

Perhaps that is the reasoning of the authors, I don't know. Ian
Hickson's email seemed to suggest that IP-based authentication was the
primary reason to not consider the simpler approach I outlined. In
either case, we know that the value of (2) is illusory since CSRF
vulnerabilities prevent its use (unless all the sites in the scenario
are trusted). For (1), I think it's worth investigating exactly what
sites rely on. For example, if sites are only relying on IP-based
authentication to ensure a response is delivered to that IP address,
then we're in good shape, since we can easily implement this by
checking for the absence of a cross-domain enabled header.

>> So let's take a look at the ACM digital library case. Is there some
>> document that describes its use of IP-based authentication? Does the
>> resource use this protection to authenticate POST requests, or just
>> GET requests?
>
> I'm not familiar with exactly how it works, but the basic idea is as follows:
>
> 1) Universities (and other folks) pay money to ACM digital library to
> give their networks access to the library.
> 2) When I visit the library from the university network, I can
> download papers, etc.
> 3) When I visit the library from home, I browse the index, but I can't
> download the papers.
>
> I seem to recall that the amount the university pays is somehow
> related to how much they use the library, but I don't know what the
> mechanism is for this or whether UC Berkeley buys an all-you-can-eat
> subscription.

So I just did some poking around on the ACM digital library site (I
believe my company also has a site license). Only GET requests are
made when fetching a paper, so this use-case is not relevant to this
discussion. CORS also allows GET requests to be sent without
restriction.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Monday, 22 June 2009 20:16:49 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT