W3C home > Mailing lists > Public > www-tag@w3.org > December 2011

Re: CfC: CORS to advance to Last Call

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Mon, 26 Dec 2011 14:38:08 +0900
Message-ID: <4EF80840.8020903@it.aoyama.ac.jp>
To: "Hill, Brad" <bhill@paypal-inc.com>
CC: Jonathan A Rees <rees@mumble.net>, Thomas Roessler <tlr@w3.org>, Ashok Malhotra <ashok.malhotra@oracle.com>, "www-tag@w3.org List" <www-tag@w3.org>, Eric Rescorla <ekr@rtfm.com>, Anne van Kesteren <annevk@opera.com>
Hello Brad, others,

I'm not at all an expert on CORS and related technology, but it seems to 
me that what you wrote should go into the Security Considerations 
section of the document 
(http://www.w3.org/TR/2010/WD-cors-20100727/#security). That section may 
benefit from some more work anyway; it is written as a "advice that did 
not fit anywhere else" rather than the otherwise usual (at least in the 
IETF) "list anything security-relevant, with pointers to other sections 
or documents where appropriate".

Regards,    Martin.

On 2011/12/24 2:39, Hill, Brad wrote:
> Sorry to join the discussion late. (thanks for including us, Thomas)
>
> I've gone back to the Don't Be a Deputy (DBAD) and CORS vs. UMP conversations archived in various places.  While I was not a participant at the time and my context is limited, it appears to me the discussions conflated a number of issues, and many have been addressed by the current design of CORS.  As co-chair of the new WG now shepherding these specs, I have made a personal appeal to Mark Miller and Tyler Close to bring any remaining issues they have to the us, but haven't received a response.
>
> The ability of web browsers to be abused as deputies is considerable, and has been for a long time, independent of CORS or XHR.  With the restrictions on non-simple methods, I don't believe CORS as currently specified gives qualitatively new or different capabilities to a would-be CSRF attacker.  The attacks I find described in the DBAD discussions can be accomplished with cross-origin POSTs from almost the beginnings of the Web.  Most don't even need a scriptable user-agent.
>
> I can understand how the CORS vs. UMP debate *occasioned* a larger discussion about the architecture of the web and ambient authority, but it seems it was a philosophical argument, with CORS as a representative of the status quo, not as a harbinger of new vulnerabilities.  The question of cross-origin ambient authority in the user-agent was and remains bigger than and orthogonal to CORS, and one that shouldn't hold it back from going to LC.  If a decision is eventually reached that the ambient authority implied by the architecture of the Web must be curtailed, patching user-agents to force "Access-Control-Allow-Credentials: false" will be possibly the smallest and easiest change the community will have to make.
>
> Brad Hill
> Co-chair, WebAppSec WG
>
>
>
Received on Monday, 26 December 2011 05:38:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:44 GMT