W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2012

RE: [webappsec] Updated proposal for CORS security considerations

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 14 Feb 2012 23:20:30 +0000
To: Anne van Kesteren <annevk@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E02F1F1@DEN-EXDDA-S11.corp.ebay.com>
Looks great to me.  Thanks, Anne.  A few folks wanted a bit more time to review this on the call today, so will take up a formal resolution to go to LC on the next call.

-Brad

> -----Original Message-----
> From: Anne van Kesteren [mailto:annevk@opera.com]
> Sent: Tuesday, February 14, 2012 7:05 AM
> To: public-webappsec@w3.org; Hill, Brad
> Subject: Re: [webappsec] Updated proposal for CORS security considerations
> 
> Thanks for writing this. I integrated this though not completely. See below
> for details.
> 
> http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html

> 
> 
> On Tue, 07 Feb 2012 00:03:49 +0100, Hill, Brad <bhill@paypal-inc.com>
> wrote:
> > b. A resource that is publicly accessible, with no access control
> > checks, should always return an Access-Control-Allow-Origin header
> > with the literal string "*" as its value and an
> > Access-Control-Allow-Credentials header with the literal string "false"
> > as its value.
> 
> I removed the second header as there is no such value and it is not needed.
> 
> 
> > Legacy user-agents remain limited by the Same Origin Policy from
> > accessing such resources cross-origin. Currently deployed user-agents
> > that understand the Access-Control-Allow-Origin header, as well as
> > user-agents conformant to this specification, will be able to access
> > such resources regardless of origin.
> 
> Not sure if we need to include this. Everyone supports CORS and this section
> is already pretty long. Commented out for now.
> 
> 
> > c. A GET response whose body happens to parse as [ECMAScript] should
> > always return an Access-Control-Allow-Origin header with the literal
> > string "*" as its value. This category includes [JSON] content. These
> > responses have already effectively opted-out of Same Origin Policy
> > protection, since the content can be accessed cross-origin using an
> > HTML <script> tag. If needed, such resources should implement access
> > control and CSRF protections as described in Part 1 of these
> considerations.
> 
> I changed since as comments are protected currently and JSON cannot be
> executed and therefore not read cross-origin.
> 
> 
> > 3. Certain precautions should be followed when specifying particular
> > authorized origins in the Access-Control-Allow-Origin header:
> >
> > a. Authors should be aware that an application executing in the
> > user-agent is allowed to reduce the specificity of its origin by
> > modifying the document.domain property to a less-specific value. (e.g.
> > from foo.example.com to example.com) Therefore the scope of an access
> > grant implicitly includes not just the named origin, but more specific
> > ones beneath it in the DNS hierarchy.
> >
> > b. User-agents often restrict the degree to which the specificity of
> > an origin can be reduced, typically using a "public suffix" list to
> > forbid any resource from having a host portion that is a part of the
> > DNS hierarchy controlled by a public registry. (such as "com",
> > "co.uk", and
> > "pvt.k12.wy.us") Although these lists are difficult to keep up to date
> > and vary between implementations, resources SHOULD NOT return an
> > Access-Control-Allow-Origin header with a host value whose domain is a
> > public suffix, as such an origin is impossible to match securely.
> 
> This is wrong. CORS always uses the actual origin, not the effective origin.
> 
> 
> > c. Origins with schemes that do not provide authentication (e.g. http)
> > and origins with an unqualified name in the host portion, (e.g.
> > "example") including origins with unqualified names in the https
> > scheme, (e.g. "https://example/") do not provide secure identification
> > of the requesting application. Caution should be taken before granting
> > applications from such origins access to confidential or protected
> > resources.
> 
> I guess this point is valid.
> 
> I commented out part 3 for now, but we should maybe include the above
> paragraph somehow.
> 
> 
> --
> Anne van Kesteren
> http://annevankesteren.nl/

Received on Tuesday, 14 February 2012 23:21:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 14 February 2012 23:21:00 GMT