- From: Markus Lanthaler <markus.lanthaler@gmx.net>
- Date: Tue, 14 Oct 2014 13:18:13 +0200
- To: <public-hydra@w3.org>
On 10 Okt 2014 at 16:59, Kjetil Kjernsmo wrote: > So, I discovered there were some points that I hadn't responded to. Markus > wrote way back: > >> Access-Control-Allow-Origin is not about authentication... thus I'm >> actually a bit confused what you are discussing here. Access-Control- >> Allow-Origin is about allowing browsers to access resources on other >> servers. > > Right. I was refering to some of the attacks that is made possible by CORS, > as far as I have understood it. > > If someone puts up a TPF server on an Intranet containing information not > meant for outsiders, and this has a CORS header allowing anybody, an > attacker could access this information if they can trick an internal user > who has authenticated to access the Internet resource to execute a script > that cross-origin-shares the secret information... Such attacks are > discussed in the CORS spec, perhaps this resource is better to understand > it: http://resources.infosecinstitute.com/demystifying-html-5-attacks/ Yes, that's of course completely right. > Or it may of course be that I haven't understood the attack, but personally, > I'd be very cautious about adding CORS to private resources, and * I would > certainly never add to anything that weren't meant for the public Internet. If the resource requires authentication and doesn't work with cookies, then the attack would be impossible (or at least very very difficult). > So, you could of course say that TPFs are *just* for the public Internet, > but I think that would be a mistake. +1 I actually forgot what we are discussing here but I just had a look at the LDF specs and see that we are probably discussing the following statement in the TPF spec [1] In order to allow browser applications to access fragments, Cross- Origin Resource Sharing [CORS] MUST be enabled on the server. To this end, triple pattern fragments servers MUST emit the following header and value on all HTTP responses to requests for triple pattern fragments, regardless of their status code: I would thus suggest to change the spec as follows [2]: In order to allow browser applications to access fragments, Cross- Origin Resource Sharing [CORS] **has to be** enabled on the server. To this end, triple pattern fragments servers **SHOULD** emit the following header and value on all HTTP responses to requests for triple pattern fragments, regardless of their status code: [1] http://www.hydra-cg.com/spec/latest/triple-pattern-fragments/#h4_accessibili ty-for-web-applications [2] https://github.com/HydraCG/Specifications/pull/76 -- Markus Lanthaler @markuslanthaler
Received on Tuesday, 14 October 2014 11:18:44 UTC