W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 20 Jul 2012 08:50:45 -0700
Message-ID: <CAJE5ia87E85kyg4YioJXySsjmhYvc3ELs70RJNKo-qs2-LWSyg@mail.gmail.com>
To: Cameron Jones <cmhjones@gmail.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones <cmhjones@gmail.com> wrote:
> On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth <w3c@adambarth.com> wrote:
>> On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote:
>>> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>>>>> Isn't this mitigated by the Origin header?
>>>>
>>>> No.
>>>
>>> Could you expand on this response, please?
>>>
>>> My understanding is that requests generate from XHR will have Origin
>>> applied. This can be used to reject requests from 3rd party websites
>>> within browsers. Therefore, intranets have the potential to restrict
>>> access from internal user browsing habits.
>>
>> They have the potential, but existing networks don't do that.  We need
>> to protect legacy systems that don't understand the Origin header.
>>
>
> Yes, i understand that. When new features are introduced someone's
> security policy is impacted, in this case (and by policy always the
> case) it is those who provide public services who's security policy is
> broken.
>
> It just depends on who's perspective you look at it from.
>
> The costs of private security *is* being paid by the public, although
> it seems the public has to pay a high price for everything nowadays.

I'm not sure I understand the point you're making, but it's doesn't
really matter.  We're not going to introduce vulnerabilities into
legacy systems.

>>>>> Also, what about the point that this is unethically pushing the costs
>>>>> of securing private resources onto public access providers?
>>>>
>>>> It is far more unethical to expose a user's private data.
>>>
>>> Yes, but if no user private data is being exposed then there is cost
>>> being paid for no benefit.
>>
>> I think it's difficult to discuss ethics without agreeing on an
>> ethical theory.  Let's stick to technical, rather than ethical,
>> discussions.
>
> Yes, but as custodians of a public space there is an ethical duty and
> responsibility to represent the interests of all users of that space.
> This is why the concerns deserve attention even if they may have been
> visited before.

I'm sorry, but I'm unable to respond to any ethical arguments.  I can
only respond to technical arguments.

> Given the level of impact affects the entire corpus of global public
> data, it is valuable to do a impact and risk assessment to garner
> whether the costs are significantly outweighed by either party.
>
> With some further consideration, i can't see any other way to protect
> IP authentication against targeted attacks through to their systems
> without the mandatory upgrade of these systems to IP + Origin
> Authentication.
>
> So, this is a non-starter. Thanks for all the fish.

That's why we have the current design.

Adam
Received on Friday, 20 July 2012 15:51:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:54 GMT