Re: More clarity about cookie handling from Jonas Sicking on 2007-11-30 (public-appformats@w3.org from November 2007)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 30 Nov 2007 11:29:58 -0800
To: Jon Ferraiolo <jferrai@us.ibm.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <475064B6.7050204@sicking.cc>

Jon Ferraiolo wrote:
> ----------------
> When making a _cross-site access request_ 
> <http://www.w3.org/TR/access-control/#cross-site-access-request> user 
> agents /should/ ensure to:
> 
>           o ...
>           o Not to expose any trusted data, such as cookies, HTTP header
>             data, inappropriately
> 
> ----------------
> 
> I worry that the language can be mis-interpreted or misunderstood. What 
> seems "inappropriate" to you might be different than what something else 
> thinks. My opinion (shared with other OpenAjax members) is that we would 
> like to see language that is simpler and more direct, such as "cookies 
> SHOULD NOT be sent with cross-site requests". I haven't studied the 
> specification from an editorial perspective all that clearly, but maybe 
> something like this would work:
> 
> ----------------
> When making a _cross-site access request_ 
> <http://www.w3.org/TR/access-control/#cross-site-access-request> user 
> agents:
> ...
> * SHOULD NOT transmit cookies or HTTP header data
> ----------------

I don't think this is what the spec means to say, nor do I think that it 
should.

Why is sending cookies along with the cross-site request a security 
problem? As long as you are sending the cookies for the third-party site 
things should be fine. I.e. if server A makes a cross-site request to 
server B, the request should include the cookies appropriate for server 
B (but none of the cookies related to server A).

It is already easy to make a GET request to a third-party server which 
includes the cookies for the third-party server, so if that has any 
side-effects you are already in trouble.
If it does not have side-effects to do so, I don't see the harm in doing 
that for cross-site access requests.

Can you describe the attack you are worried about?

The reason we'd want to include cookies for cross-site access requests 
is that many servers use cookies to authenticate the user, before even 
running the user code used to generate the page. If we didn't send 
cookies it would be significantly harder to support cross-site requests
on such servers.

/ Jonas

Received on Friday, 30 November 2007 19:44:03 UTC