- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Feb 2008 01:25:21 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: public-appformats@w3.org
On Tue, 5 Feb 2008, Jonas Sicking wrote: > > It introduces ordering issues. Consider the following setup; A server > contains two resources, /dir/A and /dir/B, and returns the following > replies to OPTIONS requests: > > /dir/ > Access-Control:allow <*> method POST > Method-Check-Policy-Path: /dir/ > Method-Check-Max-Age:3600 > > /dir/A > Access-Control:allow <*> method POST > Method-Check-Policy-Path: /dir/ > Method-Check-Max-Age:3600 > > /dir/B > Access-Control:deny <*> method POST > Method-Check-Max-Age:3600 > > > If a UA now accesses resource A it would do OPTIONS requests to /dir/A > and then /dir/ and result in "allow <*> method POST" being cached as the > policy for all resources under /dir/. > > If the UA then tries to do a POST to resource B this would be performed > without any OPTIONS requests. I.e. the POST to B would be successful. > > However if the UA first tries to do a POST to resource B, the UA would > first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B > would be unsuccessful. I think this will make debugging a pain, for sure, but I don't think it's a security problem. It's just a configuration issue. I can't see a clear way of avoiding it, though. (Note also that if you access A then B, that even though B would then get a POST, it wouldn't leak the data to the requesting Web page. The "deny" would still take effect on the response.) > The current proposal means that someone that can control the responses > to a given directory can effectively control the ability to do perform > unsafe cross-site requests to any URI under that directory. Yes, that's the assumption for the proposal. :-) Is it not a safe assumption? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 February 2008 01:25:30 UTC