W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 13 Oct 2009 19:47:45 -0700
Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
Message-id: <DB008B9A-975B-4425-8A2F-411153622A7E@apple.com>
To: "Mark S. Miller" <erights@google.com>

On Oct 13, 2009, at 5:31 PM, Mark S. Miller wrote:

> On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth <w3c@adambarth.com>  
> wrote:
>> [...] We should concentrate on the following questions:
>>
>> 1) Does CORS introduce security vulnerabilities into legacy servers
>> that are unaware of the CORS protocol?
>> 2) How well does CORS support the simple use cases of cross-origin
>> resource sharing?
>> 3) Does CORS prevent sophisticated developers from implementing
>> advanced uses cases?
>>
>> Do you find CORS problematic for any of the above questions?  Do you
>> think we should be concerned with other questions?
>
>
> The issue is either #2 or "other question" depending on how you look
> at it. Let's look at this by analogy.

The analogy is interesting, but what's the problem CORS itself has?  
Can you give an example of a #2 problem, or state the "other question"  
we should be concerned with and why CORS scores poorly by that metric?

> Say we rewind the web prior to
> the introduction of cookies. Say that web already had cookieless
> cross-origin form GETs and POSTs. Say cookies were now being proposed
> in this forum, together with the proposal that cookies be conveyed by
> those cross-origin form GETs and POSTs. As we now know, this mistake
> resulted in a confused deputy vulnerability, CSRF, that is now
> understood to be a big deal.
>
> How would an objection in this forum to the introduction of
> cross-origin cookies have fared at that time by the above criteria?
>
>
> 1) Do cross-origin cookies introduce security vulnerabilities into
> legacy servers
> that are unaware of the cross-origin cookie protocol?
>
> Since no one yet pays any attention to cookies, adding cookies can't
> create any vulnerabilities in legacy servers. (And also like CORS,
> since legacy clients don't send it, it doesn't create any new
> vulnerabilities for them either).
>
>
> 2) How well do cross-origin cookies support the simple use cases of  
> cross-origin
> resource sharing?
>
> As we all now know, many simple use cases are supported well by
> cross-origin cookies.

Actually, we now all know that many (most?) simple use cases are not  
supported well by cross-origin cookies without some additional  
mechanism beyond the basic-pre-existing platform, since they would be  
subject to a CSRF vulnerability. You could argue that in the  
hypothetical world, no one could have predicted this. But I think at  
the time cookies were introduced, no one seriously tried to predict  
the vulnerabilities. This was before the same-origin security model  
was formulated; there was considerably less understanding of Web  
security. Cookies first shipped before JavaScript.

If CORS has similar vulnerabilities in simple use cases, then in the  
non-hypothetical present day we should be able to predict them.

>
>
> 3) Do cross-origin cookies prevent sophisticated developers from  
> implementing
> advanced uses cases?
>
> Clearly not. Adding ignorable cookies doesn't prevent anyone from
> doing anything they can now do.
>
>
> Q: Do you find cross-origin cookies problematic for any of the above  
> questions?
>
> Apparently not, but I have a nagging feeling that I answer #2 too  
> quickly.
>
>
> Q: Do you think we should be concerned with other questions?
>
> Yes. Returning from the hypothetical, since we now understand how
> cross-origin cookies led to CSRF, and since none of the numbered
> questions would have caught the problem before it was too late,
> clearly we're missing something.

By this argument, do you mean to say something more specific than  
"even simple use cases of CORS may have a currently unknown future  
vulnerability"?

Regards,
Maciej
Received on Wednesday, 14 October 2009 02:48:19 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT