- From: James Kettle <james.kettle@portswigger.net>
- Date: Tue, 9 May 2017 16:41:33 +0100
- To: public-webappsec@w3.org
- Message-ID: <CAPNjHtCEMpcG_1zd+Qyg1wXjYP=WHWsMaQ+A6hAkqgZv74LmvQ@mail.gmail.com>
Hi all, After encountering a significant number of websites that have serious vulnerabilities due to their use of CORS, I'd like to float a few ideas for improvements to the CORS specification and its implementation in browsers. Due to limitations in the CORS spec/implementation, numerous websites are forced to dynamically generate the access-control-allow-origin header based on the incoming Origin header. This creates a situation where websites have security-critical functionality based on parsing user input. We could reduce the number of sites forced to do dynamic generation by: - Enabling static trust of multiple origins by supporting a space-separated list of origins - Enabling static trust of all subdomains by supporting the use of partial wildcards like https://*.example.com Trusting the 'null' origin is equivalent to trusting * except it's less obviously risky, and actually more dangerous since the allow-credentials exception for * doesn't apply to null. I think it may be helpful to apply the allow-credentials exception to 'null'. Websites accessed over HTTPS can use CORS to grant credentialed access to HTTP origins, which partially nullifies their use of HTTPS. Perhaps browsers' mixed content protection should block such requests, or at least disable allow-credentials for HTTP->HTTPS requests. I've written a longer blog post on this topic over at http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html and I'll be presenting on this topic at AppSec EU on Friday so feel free to say hi if you're around. Hopefully this is the right forum to present this ideas, and I'm not five years too late. Cheers, James Kettle
Received on Wednesday, 10 May 2017 09:36:26 UTC