W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [cors] Additional Comments on 17 March 2009 cors draft

From: Frederick Hirsch <Frederick.Hirsch@nokia.com>
Date: Wed, 1 Jul 2009 09:23:12 -0400
Cc: Frederick Hirsch <Frederick.Hirsch@nokia.com>, public-webapps WG <public-webapps@w3.org>
Message-Id: <8788AC7F-7E9B-4258-88B5-9C750A62A951@nokia.com>
To: ext Anne van Kesteren <annevk@opera.com>

So the issue is not confidentiality, it is inappropriate script  
execution. Got it.

Thanks Anne

regards, Frederick

Frederick Hirsch
Nokia



On Jul 1, 2009, at 5:34 AM, ext Anne van Kesteren wrote:

> I might not have time to address your larger set of questions before I
> leave on vacation tomorrow, but I thought I could at least answer  
> this one.
>
> On Tue, 30 Jun 2009 17:38:20 +0200, Frederick Hirsch
> <Frederick.Hirsch@nokia.com> wrote:
>> One additional question regarding a cross-site get (using browser  
>> here
>> for simplicity of terms) (for example, see [1])
>>
>> Is it true that
>>
>> 1. the GET results in the content being returned on the wire with a
>> Access-Control-Allow-Origin header
>> 2. the browser then checks this header and enforces policy
>> 3. if policy disallows then the browser does not allow the content  
>> to be
>> used.
>
> Yes, this is correct.
>
>
>> In any case, doesn't this open an attack to get the content by  
>> sniffing
>> the wire for the response content, regardless of the header?
>
> If that is a viable attack scenario such servers are already exposed  
> due
> to e.g. cross-origin <img> or <iframe> loading which already works  
> today.
> Or e.g. by simply setting window.location to the address from which  
> you
> want to sniff the response.
>
> All the header is effectively protecting is exposing the "raw"  
> contents of
> a cross-origin resource to script.
>
>
>> [1] http://arunranga.com/examples/access-control/SimpleXSInvocation.txt
>
>
> -- 
> Anne van Kesteren
> http://annevankesteren.nl/
Received on Wednesday, 1 July 2009 13:24:31 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:32 GMT