W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

CORS Best PRactices (was: [cors] unaddressed security concerns)

From: Doug Schepers <schepers@w3.org>
Date: Sat, 24 Oct 2009 15:37:44 -0400
Message-ID: <4AE35788.70103@w3.org>
To: public-webapps@w3.org
Hi, David-Sarah-

David-Sarah Hopwood wrote (on 10/24/09 2:07 AM):
> Currently, the prevalence and impact of CSRF attacks is limited to some
> extent by the same-origin restrictions. The adoption of CORS will remove
> part of that limitation. This should be expected to result in more sites
> that rely on CORS being vulnerable to CSRF, even though the vulnerabilities
> are dependent on the detailed behaviour of those sites and are not a
> *direct* consequence of CORS per se. That is, these sites could in principle
> avoid such attacks, but only by avoiding the use of ambient authority, and
> we know from experience that some proportion of them won't do that.

Okay, so, the complaint isn't that CORS itself is insecure, but that 
people won't know how to use it properly.  This is a different problem, 
with a different solution.

I certainly acknowledge your concern, and this is something we need to 
take seriously.

If I understand you correctly, there doesn't seem to be anything about 
the CORS specification inherently that would cause it to change, nor to 
prevent it from progressing along the W3C Recommendation Track... 
rather, the challenge is to properly educate people on its use.  We need 
to make sure that, as a consequence of CORS being enabled, site authors 
don't misapply the new power they have, to the extent that that is possible.

Perhaps at this point we could work on some easy-to-understand 
tutorials, best practices, or even sample code show what to do and what 
not to do with CORS (and cross-site scripting in general), which W3C 
could host alongside CORS, to get the right messages out there.

If the security community is willing to write up articles as well, W3C 
would be happy to link to or host that material.

-Doug Schepers
W3C Team Contact, SVG and WebApps WGs
Received on Saturday, 24 October 2009 19:37:49 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC