- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 06 Feb 2008 03:08:15 -0800
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-appformats@w3.org
Jonas Sicking wrote: > > Hi All, > > So I have some feedback to this proposal. I think Hixie might have > missunderstood me and while I agreed to him publishing it, it's > definitely not _from_ me. > > So there are a couple of pretty big security concerns that I have with > this proposal. > > 1. > It introduces ordering issues. Consider the following setup; A server > contains two resources, /dir/A and /dir/B, and returns the following > replies to OPTIONS requests: > > /dir/ > Access-Control:allow <*> method POST > Method-Check-Policy-Path: /dir/ > Method-Check-Max-Age:3600 > > /dir/A > Access-Control:allow <*> method POST > Method-Check-Policy-Path: /dir/ > Method-Check-Max-Age:3600 > > /dir/B > Access-Control:deny <*> method POST > Method-Check-Max-Age:3600 > > > If a UA now accesses resource A it would do OPTIONS requests to /dir/A > and then /dir/ and result in "allow <*> method POST" being cached as the > policy for all resources under /dir/. > > If the UA then tries to do a POST to resource B this would be performed > without any OPTIONS requests. I.e. the POST to B would be successful. > > However if the UA first tries to do a POST to resource B, the UA would > first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B > would be unsuccessful. Note that this isn't a problem with 'deny' rules. The exact same problem is there if OPTIONS requests to /dir/B doesn't return any AC headers at all. Just wanted the example to be more specific. / Jonas
Received on Wednesday, 6 February 2008 11:09:03 UTC