W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Two minor processing issues

From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Date: Thu, 04 Aug 2011 14:46:18 +0200
To: public-webapps@w3.org
Message-ID: <1312461978.6004.71.camel@papyrus>
On Thu, 2011-08-04 at 00:12 +0200, Anne van Kesteren wrote:
> On Wed, 03 Aug 2011 19:43:28 +0200, Philippe De Ryck  
> <philippe.deryck@cs.kuleuven.be> wrote:
> > CORS-ISOLATION-1.Unique Origins: When run in a document with a globally
> > unique identifier for an origin, the Origin header specification
> > requires that null should be sent as the value of the Origin header. The
> > algorithms listed in the CORS specification do not explicitly take the
> > null value into account, leading to some unlogical scenarios. It is for
> > instance valid that a request sends origin null and the server responds
> > with an Allow-Origin header with the value null.
> 
> Is that problematic? This is a feature.

If this was intended as a feature, the spec should reflect this more
clearly.

Additionally, this feature allows the use of null as the basis for
access control. How can the server use this to decide whether it should
allow access or not? Any origin can cause the origin header to be set to
null by loading itself in a sandboxed iframe, essentially reducing null
to the same level as the wildcard value (without the server-side
information about the source origin). The only difference is that for
null, credentials are allowed, but for a wildcard they are not, which
again is very confusing, even contradictory.

-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science



Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Thursday, 4 August 2011 12:47:12 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:47 GMT