W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 12 Oct 2009 08:36:02 +0200
To: "Mark S. Miller" <erights@google.com>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, "Jonas Sicking" <jonas@sicking.cc>, "Arthur Barstow" <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u1ocmc1s64w2qv@anne-van-kesterens-macbook.local>
On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller <erights@google.com>  
> The last of the links above should make the application to CORS
> concrete. See also the dismissive replies which followed in that
> thread. If you find these dismissals plausible, please imagine back to
> the world in which CSRF was first diagnosed (second bullet above) as
> ask if CSRFs would have also seemed merely theoretical back then? In
> both cases, the answer "well don't do that" seems to make sense on
> first analysis for the same reasons.

The concern seems to be mostly about CORS being an access control system.  
I'm not entirely sure that is justified (though the headers are indeed  
confusingly named, mea culpa). All CORS does is allowing cross-origin  
resources to communicate with each other. What actions follow from  
requests should in general not follow from (just) the origin were the  
request originated. That would allow all kinds of trouble.

Then again, I think this was explained before as well, so I kind of have  
the feeling we are going around in circles.

Anne van Kesteren
Received on Monday, 12 October 2009 06:36:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC