W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Tyler Close <tyler.close@gmail.com>
Date: Tue, 9 Jun 2009 15:05:56 -0700
Message-ID: <5691356f0906091505o63555d21ib4d48c298d207f44@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 2:52 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Tue, Jun 9, 2009 at 2:20 PM, Tyler Close<tyler.close@gmail.com> wrote:
>> I had thought CORS, by it's use of Origin, was meant to be a safe
>> replacement for JSON-P.
> Can you explain again how the attack works for Origin-header-for-CORS?
>  Keep in mind that the response is delivered to the original
> requester, who should be accurately identified by the Origin header
> (even through redirects).

But the side-effects of the request still happen. The attacker can
cause mutation of server-side state belonging to the victim user.

I believe the scenario in the first email works as described in CORS.
I don't see anything in the CORS redirect steps that changes the
Origin processing from what is described in your I-D.


These documents really need to state that they are only addressing
messaging between mutually trusting sites.


"Waterken News: Capability security on the Web"
Received on Tuesday, 9 June 2009 22:06:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:54 UTC