- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Fri, 2 May 2008 16:19:52 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-appformats@w3.org
- Message-ID: <OF006CECD9.3E8EA811-ON8825743D.007ECED7-8825743D.00802972@us.ibm.com>
Sounds like a promising approach to address the CSRF vulnerability due to
cross-site cookies. I had mentioned this an option a couple of months ago:
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0197.html
A general mental model for all security questions is to make the default
setup as safe as possible, such as how XDR is designed, but allow servers
to opt-in to enable greater flexibility. Not just for cookies, but other
things, such as (other) cross-site headers. (AC control already does
something in this direction where the server has to opt-in to POST and
DELETE.) In addition I suggest that the spec SHOUT ABOUT THE RISKS whenever
the server turns on the switches to enable advanced features.
But I want to state again that I still don't like one of the central
features of AC where the client enforces which sites are allowed to send a
cross-site request. I prefer the simplicity of XDR and JSONRequest, which
don't send allow/deny lists to the client for policy enforcement, and which
don't send data down to the client only to expect the data to be tossed
away if access is denied.
Jon
Ian Hickson
<ian@hixie.ch>
Sent by: To
public-appformats public-appformats@w3.org
-request@w3.org cc
Subject
05/02/08 03:44 PM Opting into cookies
I had lunch with sicking, dbaron, and Arun, and sicking proposed an
interesting idea for how we could address their concerns with cookies
being sent with AC/XHR2 requests.
The proposal is basically that along with the Access-Control header, the
user agent can include an Access-Include-Credentials header. If the header
is present, then, when sending the request, the user agent includes
cookies and HTTP author headers (if any apply) as well as a
Sec-Credentials-Included header to indicate that cookies and auth tokens
were included (since the Cookie header might not be present, for instance,
if no cookies apply, and the server needs to distinguish the case of the
cookies having been potentially hidden intentionally from the case where
the cookies were simply not present). In the case of GET requests, the
credentials would be omitted by default and if the response includes the
Access-Include-Credentials then it would be sent again with credentials.
The presence of Access-Include-Credentials would be cached along with the
policy and subject to Access-Control-Max-Age.
If this would resolve Mozilla's concerns, then I think we should take it.
Of course if it doesn't actually resolve their concerns then ignore me. :-)
Cheers,
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Attachments
- image/gif attachment: graycol.gif
- image/gif attachment: pic22476.gif
- image/gif attachment: ecblank.gif
Received on Friday, 2 May 2008 23:22:05 UTC