Re: CORS and null from Mike West on 2014-06-03 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 3 Jun 2014 10:54:17 +0200
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>, Jonas Sicking <jonas@sicking.cc>, Adam Barth <w3c@adambarth.com>, Maciej Stachowiak <mjs@apple.com>, Travis Leithead <Travis.Leithead@microsoft.com>
Message-ID: <CAKXHy=cyKUQz2LwmDfutH8sWLXZFNgE3LicVt-x+DFkHUeV2fw@mail.gmail.com>

Banning the former makes sense to me.

It has the impact that sandboxed frames can't make XHR requests to CORS
enabled resources, which is potentially problematic in the cases where
you'd like to sandbox off a portion of your application that processes data.

The workaround would be for the parent frame to request the data, and to
pipe it into the sandbox via postMessage. That's probably better from a
security perspective anyway; if the sandbox doesn't need to make requests,
it shouldn't be allowed to.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Jun 2, 2014 at 10:55 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Allowing
>
>   Access-Control-Allow-Origin: null
>   Access-Control-Allow-Credentials: true
>
> is effectively equivalent to allowing
>
>   Access-Control-Allow-Origin: *
>   Access-Control-Allow-Credentials: true
>
> given sandboxing. Given that we do not allow the latter, should we
> start banning the former?
>
>
> --
> http://annevankesteren.nl/
>
>

Received on Tuesday, 3 June 2014 08:55:05 UTC