- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 30 Nov 2007 11:29:58 -0800
- To: Jon Ferraiolo <jferrai@us.ibm.com>, "WAF WG (public)" <public-appformats@w3.org>
Jon Ferraiolo wrote: > ---------------- > When making a _cross-site access request_ > <http://www.w3.org/TR/access-control/#cross-site-access-request> user > agents /should/ ensure to: > > o ... > o Not to expose any trusted data, such as cookies, HTTP header > data, inappropriately > > ---------------- > > I worry that the language can be mis-interpreted or misunderstood. What > seems "inappropriate" to you might be different than what something else > thinks. My opinion (shared with other OpenAjax members) is that we would > like to see language that is simpler and more direct, such as "cookies > SHOULD NOT be sent with cross-site requests". I haven't studied the > specification from an editorial perspective all that clearly, but maybe > something like this would work: > > ---------------- > When making a _cross-site access request_ > <http://www.w3.org/TR/access-control/#cross-site-access-request> user > agents: > ... > * SHOULD NOT transmit cookies or HTTP header data > ---------------- I don't think this is what the spec means to say, nor do I think that it should. Why is sending cookies along with the cross-site request a security problem? As long as you are sending the cookies for the third-party site things should be fine. I.e. if server A makes a cross-site request to server B, the request should include the cookies appropriate for server B (but none of the cookies related to server A). It is already easy to make a GET request to a third-party server which includes the cookies for the third-party server, so if that has any side-effects you are already in trouble. If it does not have side-effects to do so, I don't see the harm in doing that for cross-site access requests. Can you describe the attack you are worried about? The reason we'd want to include cookies for cross-site access requests is that many servers use cookies to authenticate the user, before even running the user code used to generate the page. If we didn't send cookies it would be significantly harder to support cross-site requests on such servers. / Jonas
Received on Friday, 30 November 2007 19:44:03 UTC