Since it doesn't seem to have been posted here yet, this seems apropos: https://code.google.com/p/google-security-research/issues/detail?id=693 Exploitation of this vuln would have been prevented by the system Mike proposes (as well as most of the variants down-thread). (Unless TrendMicro sent the header, of course.) On Mon, Jan 4, 2016 at 5:10 AM, Mike West <mkwst@google.com> wrote: > Happy new year, WebAppSec! This seems like a lovely time to rekindle the > fire under the public/private origin restriction that we removed from Mixed > Content way back in 2014 ( > http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin). > > I've put together a kinder, gentler take on hardening the user agent > against the kinds of attacks that such requests enable: > https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only > poked at it sporadically over the holidays, but I think there's enough > there to get a conversation going. > > In a nutshell, the proposal is to require a CORS-preflight request for > requests initiated from the public internet which target private IP space. > This preflight requires an opt-in on the part of the intranet server via a > new CORS header, but doesn't block the requests entirely (which was a > failing of the initial proposal). I imagine this server-side opt-in being > combined in some intelligent way with a user-side opt-in (Presto-style > interstitial? permission request?), but I haven't explored anything in that > direction. > > CCing a few folks who've commented on the topic in the past; I imagine > you'll have opinions. :) > > -mike >
Received on Wednesday, 13 January 2016 00:42:35 UTC