W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Jonathan Rees <jar@creativecommons.org>
Date: Mon, 12 Oct 2009 08:50:07 -0400
Message-ID: <760bcb2a0910120550sb843d08j80782d0387608683@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: "Mark S. Miller" <erights@google.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Mon, Oct 12, 2009 at 2:36 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Sat, 10 Oct 2009 01:36:50 +0200, Mark S. Miller <erights@google.com>
> wrote:
>>
>> The last of the links above should make the application to CORS
>> concrete. See also the dismissive replies which followed in that
>> thread. If you find these dismissals plausible, please imagine back to
>> the world in which CSRF was first diagnosed (second bullet above) as
>> ask if CSRFs would have also seemed merely theoretical back then? In
>> both cases, the answer "well don't do that" seems to make sense on
>> first analysis for the same reasons.
>
> The concern seems to be mostly about CORS being an access control system.
> I'm not entirely sure that is justified (though the headers are indeed
> confusingly named, mea culpa). All CORS does is allowing cross-origin
> resources to communicate with each other. What actions follow from requests
> should in general not follow from (just) the origin were the request
> originated. That would allow all kinds of trouble.

If access to resources weren't controlled (i.e. secure in the face of
realistic risks), why would you deploy the feature?

> Then again, I think this was explained before as well, so I kind of have the
> feeling we are going around in circles.

That you are going around in circles is an accurate assessment. I
recommend you open an issue in your tracker for this, if you haven't
already, and that the next time you ask the W3C membership to review a
draft, if you haven't resolved the issue, that you include a note that
a possible vulnerability has been identified, but that there isn't
agreement in the WG over whether it is a real vulnerability; or if it
is, whether it needs to be addressed. [sorry, can't figure out how to
make that easier to read.]

The stakes are pretty high here, so you want to make all reasonable
efforts to ensure that the practice you're thinking of Recommending
really is something that ought to be Recommended (as opposed to just
something that's already being Done).

And I think we'll all learn something if we get to the bottom of this!
Think of your struggle to get consensus as an opportunity, not an
annoyance.

-Jonathan
(not speaking on behalf of any group of which he is a member.)

> --
> Anne van Kesteren
> http://annevankesteren.nl/
Received on Monday, 12 October 2009 12:50:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT