- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 19 Jun 2008 17:03:19 -0700
- To: Ian Hickson <ian@hixie.ch>
- CC: Web Applications Working Group WG <public-webapps@w3.org>
Ian Hickson wrote: > On Thu, 19 Jun 2008, Jonas Sicking wrote: >>> This only helps with servers that have same-domain pages that accept >>> cookies, but have no cross-domain pages that accept cookies, ever >>> (since if any of the cross-domain pages accept cookies, then our >>> initial assumption -- that the site author makes a mistake and his >>> site reacts to cookies in third-party requests by doing bad things -- >>> means that he's lost). >> How so. Sites that have a combination of private and public data can, >> and hopefully will, only set the Access-Control-With-Credentials header >> for the parts that serve private data. It needs to apply different >> opt-in policies here anyway since it needs to ask the user before >> sharing any of his/her data. > > The scenario we are trying to address is the scenario where an author has > accidentally allowed cross-site access to a part of the site that gives > users abilities if they provide valid credentials, to prevent other sites > from pretending to be the user and acting in a user-hostile way as if on > the user's behalf. > > Thus we are assuming that if a cookie is sent to the server with a > cross-site request, the server will be vulnerable. That is the fundamental > assumption. > > Now, we can work around that by making it that authors don't accept > cookies for cross-site requests, but only accept them from same-site > requests. That works, because our assumption only relates to cross-site > requests that _do_ include cookies. > > If the server then opts-in to receiving cookies, then the server will > receive cookies. Our assumption is that if a cookie is sent to the server > with a cross-site request, the server will be vulnerable. Thus the server > is now again vulnerable. > > We can't pretend that the author will make a mistake if they always > receive cookies but then assume that the author will suddenly stop making > mistakes when we provide them with a way to opt-in to cookies. Either the > author is going to make mistakes, or he isn't. We have to be consistent in > our threat assessment. Yes, if they only do that then they will be vulnerable. The site is as always responsible for asking the user before allowing third-party access to private data, and yes, if they fail to do so properly they will be vulnerable. / Jonas
Received on Friday, 20 June 2008 00:03:25 UTC