W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: [cors] unaddressed security concerns

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 27 Oct 2009 17:06:08 +0100
To: "Adam Barth" <w3c@adambarth.com>, "David-Sarah Hopwood" <david-sarah@jacaranda.org>
Cc: public-webapps@w3.org
Message-ID: <op.u2gu0iow64w2qv@annevk-t60>
On Sat, 24 Oct 2009 19:07:24 +0200, Adam Barth <w3c@adambarth.com> wrote:
> On Fri, Oct 23, 2009 at 11:07 PM, David-Sarah Hopwood
> <david-sarah@jacaranda.org> wrote:
>> The specific risk is quite clear: it's the risk of CSRF attacks that
>> are currently prevented (or mitigated) by the same-origin policy.
>> These won't be prevented or mitigated to the same extent by browsers
>> that implement CORS.
> The reason the risk is unclear is because this scenario requires
> servers to opt-in to this behavior.  It's hard for us to know what
> else server operators will do when they opt in to CORS.
> What is clear, however, is that in the simple cases, there is no
> additional CSRF risk because the set of requests an attacker can
> generate is not expanded by CORS.

This is not limited to the simple cases, for what it's worth. It requires  
opt-in in all cases. By default everything is pretty much the same and the  
same as far as servers are concerned.

Anne van Kesteren
Received on Tuesday, 27 October 2009 16:07:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:20 UTC