Re: [cors] origin and redirects

On Tue, 16 Jun 2009 18:12:14 +0200, Mark S. Miller <erights@google.com> wrote:
> On Tue, Jun 16, 2009 at 8:05 AM, Anne van Kesteren <annevk@opera.com>  
> wrote:
>> This creates some related issues we have to sort out one way or another:
>>
>>  A) How does this affect Access-Control-Allow-Origin?
>>
>>  B) How does this affect the preflight result cache?
>
> I am very glad that the current cors document explains recommended server
> behavior. Any enhancement, changes, or alternatives to cors should follow
> this example. If the Origin header expands to carry a list of origins,  
> then we should update the cors recommended server behavior to account for  
> this.

Right.


> Only then can we evaluate what new vulnerabilities we create by adding  
> yet more epicycles. If we cannot write down a coherent recommendation for how
> servers should make use of this new information, then we should not  
> propose to provide this new information.

Yeah, I do not think this is the problem though. Although it does increase complexity. Not sure if it increases it significantly, but comparing a list is certainly more complex than a string.


> If cors is indeed on a path to recapitulate the Java stack introspection
> architecture as Tyler alleges, I would expect the first recommendation to
> be:
>
> Check every origin in the set against the resource's ACL. Only if  
> the ACL allows this access for all origins in the set, then the access is
> allowed.
>
> IIRC, this recapitulates something like Java 1.1 or so. If this is indeed
> the cors path, the next step on this path would be to allow the  
> redirections
> to provide additional access control advice, and for the recommended ACL
> check at the server to treat the list no longer as a set but rather in an
> order dependent manner, where some of this access control advice cuts off
> the search farther back in the stack. But perhaps the constraints are
> different leading to a different trajectory?

I'm not sure. I'm hoping for people smarter than me to figure this one out :-)


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 17 June 2009 13:41:23 UTC