W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [cors] Additional Comments on 17 March 2009 cors draft

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 01 Jul 2009 11:34:05 +0200
To: "Frederick Hirsch" <Frederick.Hirsch@nokia.com>
Cc: "public-webapps WG" <public-webapps@w3.org>
Message-ID: <op.uwdt63o464w2qv@anne-van-kesterens-macbook.local>
I might not have time to address your larger set of questions before I  
leave on vacation tomorrow, but I thought I could at least answer this one.

On Tue, 30 Jun 2009 17:38:20 +0200, Frederick Hirsch  
<Frederick.Hirsch@nokia.com> wrote:
> One additional question regarding a cross-site get (using browser here  
> for simplicity of terms) (for example, see [1])
>
> Is it true that
>
> 1. the GET results in the content being returned on the wire with a   
> Access-Control-Allow-Origin header
> 2. the browser then checks this header and enforces policy
> 3. if policy disallows then the browser does not allow the content to be  
> used.

Yes, this is correct.


> In any case, doesn't this open an attack to get the content by sniffing  
> the wire for the response content, regardless of the header?

If that is a viable attack scenario such servers are already exposed due  
to e.g. cross-origin <img> or <iframe> loading which already works today.  
Or e.g. by simply setting window.location to the address from which you  
want to sniff the response.

All the header is effectively protecting is exposing the "raw" contents of  
a cross-origin resource to script.


> [1] http://arunranga.com/examples/access-control/SimpleXSInvocation.txt


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 1 July 2009 09:34:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT