Re: Improving CORS security from James Kettle on 2017-05-12 (public-webappsec@w3.org from May 2017)

From: James Kettle <james.kettle@portswigger.net>
Date: Fri, 12 May 2017 18:20:54 +0100
To: Daniel Veditz <dveditz@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPNjHtB4dHnRYkpsYNebG7eEJ+jMazexVkMqSHAj_7n=GrpKQw@mail.gmail.com>
Thanks for all the feedback!


> - Enabling static trust of multiple origins by supporting a
>> space-separated list of origins
>
>
> I would support syntax for this. Having to programmatically generate the
> correct header has always seemed error prone and leads to blind echoing
> which is less secure than just using "*".


Great! I don't have any strong views on what the syntax should be (spaces
vs commas), but I think this one suggestion is the clearest win as it
strongly pushes people towards using a hard-coded whitelist.


> - Enabling static trust of all subdomains by supporting the use of partial
>> wildcards like https://*.example.com
>
>
I have more trepidation here that people will leave themselves too wide
> open, but I cautiously support this as a practical necessity given the
> first. Would such sites allow credentials, or would they be forced to be
> credential-less like '*' ?


I think this would need to support credentials for anyone to use it. I
agree that trusting all subdomains isn't really a great idea, but it's a
common use case and if you enforced a rule like '* must be followed by .'
you could help out the many sites making Zomato's mistake of trusting
literally everything that ends in zomato.com, including notzomato.com


Websites accessed over HTTPS can use CORS to grant credentialed access to
>> HTTP origins, which partially nullifies their use of HTTPS. Perhaps
>> browsers' mixed content protection should block such requests, or at least
>> disable allow-credentials for HTTP->HTTPS requests.
>
>
I disagree. From the document and user point of view it's not at all mixed
> content.

Maybe mixed content was a poor choice of terminology. I think this
suggestion might have been misunderstood slightly. I'm suggesting that an
application that specifies ACAO: true and ACAO: <some HTTP origin> should
have the ACAC flag ignored. I don't see how this will making upgrading
sites to HTTPS harder, since as Anne said the standard approach is to
upgrade CDNs first and the application afterward, and it's only
applications that care about allowing credentials.


> If the HTTPS server doesn't want to give up its data to HTTP origins it
> can quite simply not respond with the CORS headers that enable it.

Well obviously, but anyone who wants to trust all their subdomains has to
do dynamic generation based on the Origin header, and virtually none of
them bother to check the protocol being supplied, Google included. You
could just as easily say "HTTPS sites that don't want to wreck their
security shouldn't import scripts over HTTP" but browsers are happy to step
in and block that.

At present, the browser UI on HTTPS pages that allow credentialed access
from HTTP origins is grossly misleading. The browser indicates that the
page is secured against network attackers when they can actually trivially
gain access to everything the user can see.

Cheers,

James Kettle

On 10 May 2017 at 18:30, Daniel Veditz <dveditz@mozilla.com> wrote:

> On Tue, May 9, 2017 at 8:41 AM, James Kettle <james.kettle@portswigger.net
> > wrote:
>
>> - Enabling static trust of multiple origins by supporting a
>> space-separated list of origins
>>
>
> I would support syntax for this. Having to programmatically generate the
> correct header has always seemed error prone and leads to blind echoing
> which is less secure than just using "*".
>
> - Enabling static trust of all subdomains by supporting the use of partial
>> wildcards like https://*.example.com
>>
>
> I have more trepidation here that people will leave themselves too wide
> open, but I cautiously support this as a practical necessity given the
> first. Would such sites allow credentials, or would they be forced to be
> credential-less like '*' ?
>
> Websites accessed over HTTPS can use CORS to grant credentialed access to
>> HTTP origins, which partially nullifies their use of HTTPS. Perhaps
>> browsers' mixed content protection should block such requests, or at least
>> disable allow-credentials for HTTP->HTTPS requests.
>>
>
> I disagree. From the document and user point of view it's not at all mixed
> content. If the HTTPS server doesn't want to give up its data to HTTP
> origins it can quite simply not respond with the CORS headers that enable
> it. The existing mixed-content blocking behavior leans hard on 3rd-party
> services to implement https because as such they can serve anyone, while
> with https they cannot serve to https documents.
>
> -
> Dan Veditz
>
>
Received on Friday, 12 May 2017 17:21:58 UTC