W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Cameron Jones <cmhjones@gmail.com>
Date: Fri, 20 Jul 2012 12:37:49 +0100
Message-ID: <CALGrgesb1Z+CcVwzWqnYOTzFt3PVSNPXnd4+NjztKfHA21pckw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Henry Story <henry.story@bblfish.net>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth <w3c@adambarth.com> wrote:
> On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones <cmhjones@gmail.com> wrote:
>> On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones <cmhjones@gmail.com> wrote:
>>>> Isn't this mitigated by the Origin header?
>>>
>>> No.
>>
>> Could you expand on this response, please?
>>
>> My understanding is that requests generate from XHR will have Origin
>> applied. This can be used to reject requests from 3rd party websites
>> within browsers. Therefore, intranets have the potential to restrict
>> access from internal user browsing habits.
>
> They have the potential, but existing networks don't do that.  We need
> to protect legacy systems that don't understand the Origin header.
>

Yes, i understand that. When new features are introduced someone's
security policy is impacted, in this case (and by policy always the
case) it is those who provide public services who's security policy is
broken.

It just depends on who's perspective you look at it from.

The costs of private security *is* being paid by the public, although
it seems the public has to pay a high price for everything nowadays.

>>>> Also, what about the point that this is unethically pushing the costs
>>>> of securing private resources onto public access providers?
>>>
>>> It is far more unethical to expose a user's private data.
>>
>> Yes, but if no user private data is being exposed then there is cost
>> being paid for no benefit.
>
> I think it's difficult to discuss ethics without agreeing on an
> ethical theory.  Let's stick to technical, rather than ethical,
> discussions.
>

Yes, but as custodians of a public space there is an ethical duty and
responsibility to represent the interests of all users of that space.
This is why the concerns deserve attention even if they may have been
visited before.

Given the level of impact affects the entire corpus of global public
data, it is valuable to do a impact and risk assessment to garner
whether the costs are significantly outweighed by either party.

With some further consideration, i can't see any other way to protect
IP authentication against targeted attacks through to their systems
without the mandatory upgrade of these systems to IP + Origin
Authentication.

So, this is a non-starter. Thanks for all the fish.

> Adam

Thanks,
Cameron Jones
Received on Friday, 20 July 2012 11:38:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 20 July 2012 11:38:17 GMT