W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

Re: Improving CORS security

From: Mike West <mkwst@google.com>
Date: Wed, 10 May 2017 12:13:58 +0200
Message-ID: <CAKXHy=cmYCd=8iD93Nja2d6cLqJ5h2EtdgLLnD4MjBCPmfJn1Q@mail.gmail.com>
To: James Kettle <james.kettle@portswigger.net>, Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Thanks, James!

On Tue, May 9, 2017 at 5:41 PM, James Kettle <james.kettle@portswigger.net>
wrote:

> We could reduce the number of sites forced to do dynamic generation by:
>
> - Enabling static trust of multiple origins by supporting a
> space-separated list of origins
> - Enabling static trust of all subdomains by supporting the use of partial
> wildcards like https://*.example.com
>

+Anne, who will have opinions.


> Trusting the 'null' origin is equivalent to trusting * except it's less
> obviously risky, and actually more dangerous since the allow-credentials
> exception for * doesn't apply to null. I think it may be helpful to apply
> the allow-credentials exception to 'null'.
>

For clarity, you're suggesting that `Access-Control-Allow-Origin: null`
should not be allowed if the request included credentials (in the same way
that we block `Access-Control-Allow-Origin: *`)? I think I could get behind
that, depending on usage in the wild.

Websites accessed over HTTPS can use CORS to grant credentialed access to
> HTTP origins, which partially nullifies their use of HTTPS. Perhaps
> browsers' mixed content protection should block such requests, or at least
> disable allow-credentials for HTTP->HTTPS requests.
>

Interesting. You're suggesting that `https://example.com/` should not be
able to send `Access-Control-Allow-Origin: http://whatever.com`? That
sounds reasonable on the one hand, but I suspect that it's widely used on
the other (all (I hope) Google API endpoints are HTTPS, for example, but
not all of those APIs' clients will be). I'll add some metrics to Chrome to
see if that suspicion is borne out.


> I've written a longer blog post on this topic over at
> http://blog.portswigger.net/2016/10/exploiting-cors-
> misconfigurations-for.html and I'll be presenting on this topic at AppSec
> EU on Friday so feel free to say hi if you're around.
>

Looking forward to catching the recording. :)

-mike
Received on Wednesday, 10 May 2017 10:14:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC