Re: Comments on: Access Control for Cross-site Requests

John Panzer wrote:
> Some comments on blocking of authentication credentials:
> 
>     When making a cross-site access request
>     <http://dev.w3.org/2006/waf/access-control/#cross-site-access-request>,
>     user agents /should/ ensure to:
>     "Not allow the author to set cookies or authentication credentials
>     for the request, as this would allow for a distributed cookie or
>     credentials search."
> 
> and
> 
>     Why can cookies and authentication information /not/ be provided by
>     the script author for the request?
> 
>         This would allow dictionary based, distributed, cookies / user
>         credentials search.
> 
> There are schemes for Authorization: which do not use passwords and 
> therefore do not have a dictionary attack problem; one of them is OAuth 
> (http://oauth.net).  It uses the Authorization: header by preference and 
> can be used within a browser.  (OpenSocial is in fact currently relying 
> on OAuth for authorization of proxied cross-site requests.)
> 
> Is the intent to block the use of Authorization: headers completely, or 
> only the use of Authorization: Basic and the like?  If the former, I 
> suggest that hindering the use of newer, more secure mechanisms for 
> authentication reduces security rather than enhancing it.

Authorization headers are still sent. However only the authentication 
credentials that the user has already used to log into the site is sent.

So all methods of authentication are still supported.

Hope that answers your question?

Best Regards,
Jonas Sicking

Received on Tuesday, 5 February 2008 02:10:09 UTC