W3C home > Mailing lists > Public > www-tag@w3.org > December 2011

RE: CfC: CORS to advance to Last Call

From: Hill, Brad <bhill@paypal-inc.com>
Date: Fri, 23 Dec 2011 10:39:34 -0700
To: Jonathan A Rees <rees@mumble.net>, Thomas Roessler <tlr@w3.org>
CC: Ashok Malhotra <ashok.malhotra@oracle.com>, "www-tag@w3.org List" <www-tag@w3.org>, Eric Rescorla <ekr@rtfm.com>
Message-ID: <213E0EC97FE58F469BB618245B3118BB555952EEB5@DEN-MEXMS-001.corp.ebay.com>
Sorry to join the discussion late. (thanks for including us, Thomas)

I've gone back to the Don't Be a Deputy (DBAD) and CORS vs. UMP conversations archived in various places.  While I was not a participant at the time and my context is limited, it appears to me the discussions conflated a number of issues, and many have been addressed by the current design of CORS.  As co-chair of the new WG now shepherding these specs, I have made a personal appeal to Mark Miller and Tyler Close to bring any remaining issues they have to the us, but haven't received a response.  

The ability of web browsers to be abused as deputies is considerable, and has been for a long time, independent of CORS or XHR.  With the restrictions on non-simple methods, I don't believe CORS as currently specified gives qualitatively new or different capabilities to a would-be CSRF attacker.  The attacks I find described in the DBAD discussions can be accomplished with cross-origin POSTs from almost the beginnings of the Web.  Most don't even need a scriptable user-agent.

I can understand how the CORS vs. UMP debate *occasioned* a larger discussion about the architecture of the web and ambient authority, but it seems it was a philosophical argument, with CORS as a representative of the status quo, not as a harbinger of new vulnerabilities.  The question of cross-origin ambient authority in the user-agent was and remains bigger than and orthogonal to CORS, and one that shouldn't hold it back from going to LC.  If a decision is eventually reached that the ambient authority implied by the architecture of the Web must be curtailed, patching user-agents to force "Access-Control-Allow-Credentials: false" will be possibly the smallest and easiest change the community will have to make.

Brad Hill
Co-chair, WebAppSec WG
  
Received on Friday, 23 December 2011 17:40:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:44 GMT