W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 24 Oct 2009 10:07:24 -0700
Message-ID: <7789133a0910241007t5dcdb56aq5b73bdcdc5912e77@mail.gmail.com>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
Cc: public-webapps@w3.org
On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood
<david-sarah@jacaranda.org> wrote:
> The specific risk is quite clear: it's the risk of CSRF attacks that
> are currently prevented (or mitigated) by the same-origin policy.
> These won't be prevented or mitigated to the same extent by browsers
> that implement CORS.

The reason the risk is unclear is because this scenario requires
servers to opt-in to this behavior.  It's hard for us to know what
else server operators will do when they opt in to CORS.

What is clear, however, is that in the simple cases, there is no
additional CSRF risk because the set of requests an attacker can
generate is not expanded by CORS.

Adam
Received on Saturday, 24 October 2009 17:08:17 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:34 GMT