W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Mark S. Miller <erights@google.com>
Date: Tue, 13 Oct 2009 17:31:02 -0700
Message-ID: <4d2fac900910131731t11a3d067ueadac531316ab33c@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth <w3c@adambarth.com> wrote:
> [...] We should concentrate on the following questions:
>
> 1) Does CORS introduce security vulnerabilities into legacy servers
> that are unaware of the CORS protocol?
> 2) How well does CORS support the simple use cases of cross-origin
> resource sharing?
> 3) Does CORS prevent sophisticated developers from implementing
> advanced uses cases?
>
> Do you find CORS problematic for any of the above questions?  Do you
> think we should be concerned with other questions?


The issue is either #2 or "other question" depending on how you look
at it. Let's look at this by analogy. Say we rewind the web prior to
the introduction of cookies. Say that web already had cookieless
cross-origin form GETs and POSTs. Say cookies were now being proposed
in this forum, together with the proposal that cookies be conveyed by
those cross-origin form GETs and POSTs. As we now know, this mistake
resulted in a confused deputy vulnerability, CSRF, that is now
understood to be a big deal.

How would an objection in this forum to the introduction of
cross-origin cookies have fared at that time by the above criteria?


1) Do cross-origin cookies introduce security vulnerabilities into
legacy servers
that are unaware of the cross-origin cookie protocol?

Since no one yet pays any attention to cookies, adding cookies can't
create any vulnerabilities in legacy servers. (And also like CORS,
since legacy clients don't send it, it doesn't create any new
vulnerabilities for them either).


2) How well do cross-origin cookies support the simple use cases of cross-origin
resource sharing?

As we all now know, many simple use cases are supported well by
cross-origin cookies.


3) Do cross-origin cookies prevent sophisticated developers from implementing
advanced uses cases?

Clearly not. Adding ignorable cookies doesn't prevent anyone from
doing anything they can now do.


Q: Do you find cross-origin cookies problematic for any of the above questions?

Apparently not, but I have a nagging feeling that I answer #2 too quickly.


Q: Do you think we should be concerned with other questions?

Yes. Returning from the hypothetical, since we now understand how
cross-origin cookies led to CSRF, and since none of the numbered
questions would have caught the problem before it was too late,
clearly we're missing something.


-- 
    Cheers,
    --MarkM
Received on Wednesday, 14 October 2009 00:31:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT