W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

[cors] Request for a reverse CORS mechanism

From: Phani <pklanka@gmail.com>
Date: Mon, 1 Aug 2011 17:09:54 +0530
Message-ID: <CAC47B0vs3TWGbrYO6ozZF2w5R_SCVfkUGbFFNvE-eCpcRKvdWA@mail.gmail.com>
To: public-webapps@w3.org
Hello list

While we are still at CORS - could we have something like a reverse CORS
- that means a original server should explicitly allow a scripts loaded from
external domain.

Having only CORS does prevent the data from being hijacked / information
being sent to another domain. Example - If an attacker owns a domain to
which the information is passed, the domain could as well respond with
complete set of required headers and receive the information (or an attacker
could do a simple GET request and post the cookie / other values and steal
the information.

The idea is to work on something on levels of reverse CORS. Which means if
an attacker has modified the page to include a JS file within the site - the
browser would check the parent server from which the page has loaded to
check if it can load scripts from that domain - something like a reverse
verification. (which the browser validates from parent domain).

Does that make sense. Is there an alternative already?

regards
Phani Lanka
Received on Tuesday, 2 August 2011 09:06:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT