Re: [webappsec] Updated proposal for CORS security considerations

On Mon, 2012-02-06 at 23:03 +0000, Hill, Brad wrote:
> Following further consideration, I have updated my proposed security
> considerations text for CORS around avoidance of confused deputy
> vulnerabilities when using implicit credentials.
>  
> The new text follows; comments, additions and improvements welcome.

It is probably useful to add an additional security consideration
stating how to securely deal with the "null" value in the Origin header.
This can occur with CORS requests from sandboxed origins that have a
unique origin as well as with redirected CORS requests
( https://www.w3.org/2011/webappsec/track/actions/46 ).

Philippe

-- 
Philippe De Ryck
KULeuven Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Received on Tuesday, 14 February 2012 13:53:10 UTC