- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 13 Jun 2008 16:56:16 -0700
- To: Web Applications Working Group WG <public-webapps@w3.org>
Hi All, Since I haven't received any feedback on the various straw-men in the "Opting in to cookies" thread, I'll send a full proposal (wrote most of this yesterday, Thomas wrote some opinions on cookies this morning). First off, as before, when I talk about "cookies" in this mail I really mean cookies + digest auth headers + any other headers that carry the users credentials to a site. However i'll just use the term "cookies" for readability, and since that is on the web currently the most common carrier of credentials. So here goes: When loading a resource using access-control associate the request with a "with credentials" flag. When the resource is loaded using an URI which starts with the string "user-private:" set the "with credentials" flag to true. Otherwise set it to false. Make the following modifications to the Access Control Check Algorithm (as described in section 5.2.1): Add a step before step 1 that says: If the "with credentials" flag is true and the HTTP header "Access-Control-Allow-Credentials" is missing or not set to the value "all" then return "fail". Also insert a step between step 3 and step 4 that says: If the "with credentials" flag is true then terminate the algorithm and return "fail". When doing a Simple Cross-Site Access Request (section 5.1.3) credentials are only sent in the request in step 3 if the "with credentials" flag is true. When doing a Cross-Site Access Request with Preflight (section 5.1.4) make the following modifications: Entries in the access preflight result cache (section 5.1.4) are modified such that they include a "with credentials" field. Change the first paragraph in step 5 to say: Locate the entry in the preflight result cache where the origin matches the origin field value, and the current request URI is identical to the uri field value or starts with the uri prefix field value. If there is such an entry and that entry has the "with credentials" field value set to false, and the "with credentials" flag for the request is set to true, terminate the algorithm and return "fail". Otherwise, if an entry was located, proceed to the next step. Modify the last sentence of the paragraph in step 7 to say: Then append a cache entry and set the uri prefix field value for that entry to the policy URI, and the "with credentials" to true if the response contained a "Access-Control-Allow-Credentials" HTTP header with the value "all", or false otherwise. The result of this is that adding the header "Access-Control-Allow-Credentials: all" allows the server to opt in to receiving cookies. This header is only applied to Access-Control headers, not <?Access-Control?> PIs. A nice side effect is that is that if there is no way to use cookies together with the <?Access-Control?> PI. This means that if an attacker somehow manages to modify the content of a reply in such a way that a Access-Control PI is inserted, most of the time no dangerous requests can be made, and no private data can be leaked. The exception is when the server is protected by a firewall, however that is much less common, especially for such servers to participate in mashups. This should make keeping the <?Access-Control?> PI in the spec significantly less likely to cause exploitable servers. / Jonas
Received on Saturday, 14 June 2008 00:00:00 UTC