W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

Re: Improving CORS security

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 10 May 2017 18:32:09 +0200
Message-ID: <CADnb78hubRkBwDAGCoGEXtBsFH_+V+1uSnrfXBaxzW9cShXO9g@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Mike West <mkwst@google.com>, James Kettle <james.kettle@portswigger.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, May 10, 2017 at 5:42 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote:
> Yes, we do rely on it right now. We rely on a form of CSRF tokens to protect
> the requests so that evil.com can't make the request; while any XSS on the
> page can't affect the main origin.
>
> My point is that the vulnerability that null allows is the same in impact as
> the websites that just blindly reflect an origin. None of the proposals for
> that are talking about breaking existing apps and I think we should follow
> the same principle here.

Since breaking Dropbox doesn't really seem like an option, write a PR
against Fetch to remove the issue marker? Not much point in having it
there if it can't be implemented.


-- 
https://annevankesteren.nl/
Received on Wednesday, 10 May 2017 16:32:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:23 UTC