include/omit (was Re: [Beacon] Last Call comments re: privacy and editorial suggestions) from Nicholas Doty on 2014-10-14 (public-web-perf@w3.org from October 2014)

From: Nicholas Doty <npdoty@w3.org>
Date: Mon, 13 Oct 2014 17:20:49 -0700
To: Philippe Le Hegaret <plh@w3.org>
Cc: "public-web-perf@w3.org" <public-web-perf@w3.org>, Jonas Sicking <jonas@sicking.cc>, Arvind Jain <arvind@google.com>
Message-Id: <3C753157-9DA3-44F2-BEA8-CB2448F4D7E0@w3.org>

Is this outcome (include credentials) what was intended by the CORS specification?

> When this specification is used for requests which have significance other than retrieval and which involve coordination between or data originating from more than two origins, (e.g. between resources enabling editing, printing and storage, each at distinct origins) requests ought to set the omit credentials flag and resources ought to perform authorization using security tokens explicitly provided in the content of the request, especially if the origins are not all mutually and completely trusted.
> 
> In such multi-origin scenarios, a malicious resource at one of the origins may be able to enlist the user-agent as a confused deputy and elevate its privileges by abusing user credentials sent with cross-origin requests. Avoiding such attacks requires that the coordinating applications have explicit knowledge of the scope of privilege for each origin and that all parameters and instructions received are carefully validated at each step in the coordination to ensure that effects implied do not exceed the authority of the originating principal. [CONFUSED]
> 
> Given the difficulty of avoiding such vulnerabilities in multi-origin interactions it is recommended that, instead of using user credentials automatically attached to the request by the user agent, security tokens which specify the particular capabilities and resources authorized be passed as part of the explicit content of a request. OAuth again provides an example of such a pattern.

It seems like CORS suggests that subsequent specifications should set "omit" when requests have significance other than retrieval (Beacon doesn't allow for retrieval) and could be used across multiple origins.

Of course, if this is a simple cross-origin request, then I think these CORS security considerations aren't intended to apply because of existing implementations. That is, if you respond to the questions in the email I just sent, you can likely safely ignore this email.

Thanks,
Nick

On October 9, 2014, at 2:49 PM, Philippe Le Hegaret <plh@w3.org> wrote:

> On Tue, 2014-07-29 at 17:22 -0700, Jonas Sicking wrote:
>>> This email suggests you settled on "yes, let's always send credentials"
>>> http://lists.w3.org/Archives/Public/public-web-perf/2014Feb/0025.html
>>> but the spec suggests that the credentials mode is always "omit". Which was
>>> intended here?
>> 
>> "omit" sounds wrong indeed.
> 
> On Sat, 2014-08-23 at 07:05 -0700, Arvind Jain wrote:
>> I wanted to follow up on the credentials mode question. Jonas,
>> Nicholas, could you help me with it?
> 
> To close the loop on this one, the spec now says "include"
> 
> https://github.com/w3c/beacon/issues/1
> 
> Philippe
> 
>

Received on Tuesday, 14 October 2014 00:20:58 UTC