W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

[cors] Legacy Servers: POST Body Format

From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Date: Mon, 01 Aug 2011 16:09:17 +0200
To: public-webapps@w3.org
Cc: Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <1312207758.29701.34.camel@papyrus>
The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.


The CORS specification fails to protect legacy servers from POST
messages with arbitrary body formatting.

Based on: Cross-Origin Resource Sharing, 2 July 2011
Relevant Sections: 7.1. Cross-Origin Request


The CORS specification protects legacy servers by not allowing requests
that can not be sent using HTML, unless approved by a preflight request.
When sending a POST request without a preflight, it is possible to
include a body with content in an arbitrary format, as opposed to a
form-submitted body, which follows a strict format (e.g. "key=value" or
uploaded file contents).

 Recommended Solution

Use a stricter classification of "simple requests": By requiring the
user agent to actually check the content type against the body, requests
with non-conforming bodies can be classified as non-simple. These steps
can be added to the "make a request" steps (section 6.1.7)

Alternatively, if the specification changes mentioned above are not
feasible, it is recommended to include content type warning about
server-side validation of the expected content-types.

(*) HTML version of the report is available as well:

Philippe De Ryck
K.U.Leuven, Dept. of Computer Science

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Tuesday, 2 August 2011 09:07:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:34 UTC