The proposal doesn't talk on eliminating timing-based fingerprinting possibilities though, which might not be relevant since all internal resources will be "protected" from outside by default, but worth a discussion. Like making sure "made up" network error timings are intact with real network error timings. On Mon, Jan 4, 2016 at 5:10 AM, Mike West <mkwst@google.com> wrote: > Happy new year, WebAppSec! This seems like a lovely time to rekindle the > fire under the public/private origin restriction that we removed from Mixed > Content way back in 2014 ( > http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin). > > I've put together a kinder, gentler take on hardening the user agent > against the kinds of attacks that such requests enable: > https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only > poked at it sporadically over the holidays, but I think there's enough > there to get a conversation going. > > In a nutshell, the proposal is to require a CORS-preflight request for > requests initiated from the public internet which target private IP space. > This preflight requires an opt-in on the part of the intranet server via a > new CORS header, but doesn't block the requests entirely (which was a > failing of the initial proposal). I imagine this server-side opt-in being > combined in some intelligent way with a user-side opt-in (Presto-style > interstitial? permission request?), but I haven't explored anything in that > direction. > > CCing a few folks who've commented on the topic in the past; I imagine > you'll have opinions. :) > > -mike >
Received on Tuesday, 5 January 2016 09:27:44 UTC