- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 19 Jun 2008 21:45:55 +0000 (UTC)
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Web Applications Working Group WG <public-webapps@w3.org>
On Thu, 19 Jun 2008, Jonas Sicking wrote: > > > > This only helps with servers that have same-domain pages that accept > > cookies, but have no cross-domain pages that accept cookies, ever > > (since if any of the cross-domain pages accept cookies, then our > > initial assumption -- that the site author makes a mistake and his > > site reacts to cookies in third-party requests by doing bad things -- > > means that he's lost). > > How so. Sites that have a combination of private and public data can, > and hopefully will, only set the Access-Control-With-Credentials header > for the parts that serve private data. It needs to apply different > opt-in policies here anyway since it needs to ask the user before > sharing any of his/her data. The scenario we are trying to address is the scenario where an author has accidentally allowed cross-site access to a part of the site that gives users abilities if they provide valid credentials, to prevent other sites from pretending to be the user and acting in a user-hostile way as if on the user's behalf. Thus we are assuming that if a cookie is sent to the server with a cross-site request, the server will be vulnerable. That is the fundamental assumption. Now, we can work around that by making it that authors don't accept cookies for cross-site requests, but only accept them from same-site requests. That works, because our assumption only relates to cross-site requests that _do_ include cookies. If the server then opts-in to receiving cookies, then the server will receive cookies. Our assumption is that if a cookie is sent to the server with a cross-site request, the server will be vulnerable. Thus the server is now again vulnerable. We can't pretend that the author will make a mistake if they always receive cookies but then assume that the author will suddenly stop making mistakes when we provide them with a way to opt-in to cookies. Either the author is going to make mistakes, or he isn't. We have to be consistent in our threat assessment. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 19 June 2008 21:46:36 UTC