[cors] Legacy Servers: POST Body Format

The following comment contains detailed information about an issue that
was discovered during a recent security analysis of 13 next generation
web standards, organized by ENISA (European Network and Information
Security Agency), and performed by the DistriNet Research Group (K.U.
Leuven, Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Summary 
---------

The CORS specification fails to protect legacy servers from POST
messages with arbitrary body formatting.

Based on: Cross-Origin Resource Sharing, 2 July 2011
Relevant Sections: 7.1. Cross-Origin Request

 Issue
-------

The CORS specification protects legacy servers by not allowing requests
that can not be sent using HTML, unless approved by a preflight request.
When sending a POST request without a preflight, it is possible to
include a body with content in an arbitrary format, as opposed to a
form-submitted body, which follows a strict format (e.g. "key=value" or
uploaded file contents).


 Recommended Solution
----------------------

Use a stricter classification of "simple requests": By requiring the
user agent to actually check the content type against the body, requests
with non-conforming bodies can be classified as non-simple. These steps
can be added to the "make a request" steps (section 6.1.7)

Alternatively, if the specification changes mentioned above are not
feasible, it is recommended to include content type warning about
server-side validation of the expected content-types.



(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Received on Tuesday, 2 August 2011 09:07:00 UTC