W3C home > Mailing lists > Public > www-tag@w3.org > November 2009

Re: "Uniform Messaging, a CSRF resistant profile of CORS"

From: Jonathan Rees <jar@creativecommons.org>
Date: Wed, 25 Nov 2009 07:37:43 -0500
Message-ID: <760bcb2a0911250437s1137cdbaq1df674bf8ad94672@mail.gmail.com>
To: Dan Connolly <connolly@w3.org>
Cc: www-tag@w3.org
I read this. If I understand correctly it specifies a way for a server
to declare that a particular resource is either public (doesn't need
protection) or is adequately protected using some mechanism other than
SOP (e.g. unguessability). If a resource opts in to this system, then
cross-origin uses are allowed by the client.

Examples
(a) a server could say that a style sheet doesn't need protection from
cross-origin access
(b) a server could say that a resource named by an unguessable URI
doesn't need SOP protection from cross-origin access (because access
to the URI itself is protected in some way)

Cross-origin requests are scrubbed of credentials and therefore pick
up no ambient authority (cookies, Origin:, etc). When a cross-origin
request is made, the container (browser) checks the response for
cross-origin-request opt-in before giving any information about the
resource to the requesting script (section 6.3). Because the request
contains no ambient authority, the only possible CSRF attacks would
involve resources that are supposed to be protected by a firewall or
client IP address, for which the server mistakenly opts in to
cross-origin requests... this would require an active effort to do
something wrong.

Jonathan

On Tue, Nov 24, 2009 at 11:47 PM, Dan Connolly <connolly@w3.org> wrote:
> FYI, re ACTION-331, tracking the confused deputy issue in CORS work
>
> http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/0914.html
>
> I haven't looked at the proposal closely, so I can't vouch
> for the claim in the subject/title.
>
> --
> Dan Connolly, W3C http://www.w3.org/People/Connolly/
> gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
>
Received on Wednesday, 25 November 2009 12:38:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:18 GMT