W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

Re: [webappsec] Updated proposal for CORS security considerations

From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Date: Tue, 14 Feb 2012 14:52:14 +0100
Message-ID: <1329227534.23766.25.camel@papyrus.cs.kuleuven.be>
To: public-webappsec@w3.org
On Mon, 2012-02-06 at 23:03 +0000, Hill, Brad wrote:
> Following further consideration, I have updated my proposed security
> considerations text for CORS around avoidance of confused deputy
> vulnerabilities when using implicit credentials.
>  
> The new text follows; comments, additions and improvements welcome.

It is probably useful to add an additional security consideration
stating how to securely deal with the "null" value in the Origin header.
This can occur with CORS requests from sandboxed origins that have a
unique origin as well as with redirected CORS requests
( https://www.w3.org/2011/webappsec/track/actions/46 ).

Philippe

-- 
Philippe De Ryck
KULeuven Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Tuesday, 14 February 2012 13:53:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 February 2012 13:53:11 GMT