W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Mark S. Miller <erights@google.com>
Date: Fri, 9 Oct 2009 16:36:50 -0700
Message-ID: <4d2fac900910091636h2c3d0a8bsa307bcbaf795bbe8@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Thu, Oct 8, 2009 at 9:16 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 08 Oct 2009 18:07:29 +0200, Mark S. Miller <erights@google.com>
> wrote:
>> The core criticism that several of us have raised about CORS has never
>> been addressed -- that it creates further confused deputy problems.
>> Rather than addressing the "first order" confused deputy problem of
>> CSRF, it merely postpones it one level, creating second order confused
>> deputy problems. See Tyler's example.
> I'd appreciate a pointer.

In roughly chronological order:

* Norm Hardy's original Confused Deputy paper
* Kragen Sitaker's
-- one of the earliest diagnoses of confused deputy vulnerabilities on
the web
* My own <srl.cs.jhu.edu/pubs/SRL2003-02.pdf>
* Section 8.1 of Fred Spiessen's thesis
http://www.evoluware.eu/fsp_thesis.pdf> formalizes the confused deputy
problem and provides some visualizations.
* Tyler Close's "ACLs Don't" <http://waterken.sourceforge.net/aclsdont/>
* Jonathan Rees' "Resource protection"
* The thread including Adam Barth's
* Tyler's CORS example at

>>> I was wondering if the TAG considers this item closed or wishes to know
>>> something more, in which case I'd like to hear about it! I'm trying to
>>> wrap
>>> up email threads and this is one of them. Thanks!
>> If the confused deputy problems created by CORS have already been
>> addressed, I'd like to hear about that. Did I miss part of the thread?
>>> PS: The remainder of this thread about redirects and CSRF is being taken
>>> care of by updates to both CORS and the Origin header draft Adam is
>>> working
>>> on. In short Origin will most likely become a space-separated list
>>> revealing
>>> the entire request chain.
>> Please go back and read "Origin isn't". The redirect problem Tyler
>> pointed out was merely a symptom of a deeper problem. Tyler was able
>> to identify this symptom because he does not regard the underlying
>> problem as merely theoretical. The Origin list "solution" is curing
>> the symptom only.
> I'm not sure what you are referring to, but I thought all outstanding issues
> were dealt with to be honest. (Or ended in agreed to disagree.)

Perhaps we can at least agree that we disagree ;)

> If there are
> still problems it would help me if they were made more concrete. "confused
> deputy" does not help me much because I don't see the problem you are
> seeing.

The last of the links above should make the application to CORS
concrete. See also the dismissive replies which followed in that
thread. If you find these dismissals plausible, please imagine back to
the world in which CSRF was first diagnosed (second bullet above) as
ask if CSRFs would have also seemed merely theoretical back then? In
both cases, the answer "well don't do that" seems to make sense on
first analysis for the same reasons.

Received on Friday, 9 October 2009 23:37:28 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC