- From: Thomas Roessler <tlr@w3.org>
- Date: Tue, 18 Mar 2008 09:24:28 +0100
- To: Sunava Dutta <sunavad@windows.microsoft.com>
- Cc: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>
On 2008-03-17 19:52:18 -0700, Sunava Dutta wrote: > The Access-Control spec notes that: > Authors are to ensure that GET requests on their > applications have no side effects. If by some means an > attacker finds out what applications a user is associated > with, it might "attack" these applications with GET > requests that can effect [sic] the user's data (if the user > is already authenticated with any of these applications by > means of cookies or HTTP authentication). > I'm concerned that this note suggests that the spec fails to meet > its own requirement #2: > Must not require content authors or site maintainers to > implement new or additional security protections to > preserve their existing level of security protection. > ...As cookies and HTTP authentication are commonly used security > protections yet they are sent by cross-origin requests. CSRF is > already a growing problem in the wild, and the Access-Control > mechanism requires that web developers understand extremely > subtle aspects of the security model to keep their sites secure. I'm not sure how subtle the GET vs POST aspect really is -- after all, Web developers who use GET with side effects without employing mitigating techniques will already expose themselves to: - any clients or proxies that assume that GET is idempotent - attackers' ability to place pretty arbitrary GET requests with HTTP authentication headers and cookies, cross-site That's not new, and it's not made worse in any significant way by the access-control spec. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Tuesday, 18 March 2008 08:25:03 UTC