- From: Tyler Close <tyler.close@gmail.com>
- Date: Mon, 22 Jun 2009 13:16:12 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Mon, Jun 22, 2009 at 12:33 PM, Adam Barth<w3c@adambarth.com> wrote: > On Mon, Jun 22, 2009 at 11:30 AM, Tyler Close<tyler.close@gmail.com> wrote: >> It appears to me that almost all >> the complexity of CORS comes from its attempt to protect resources >> that rely solely on IP-based authentication. > > I'm not sure this is the case. I think the reasoning goes like this: > > 1) We can't strip all the credential information from cross-origin requests. > 2) There's a large amount of value is supporting all the normal > credentials associated with HTTP requests. > 3) Given (1), we have to deal with the credential issue. Given (2), > we get a large benefit from from supporting all kinds of credentials. > 4) Given (3), some folks have made a judgement call that value of > supporting credentials is worth the complexity. Perhaps that is the reasoning of the authors, I don't know. Ian Hickson's email seemed to suggest that IP-based authentication was the primary reason to not consider the simpler approach I outlined. In either case, we know that the value of (2) is illusory since CSRF vulnerabilities prevent its use (unless all the sites in the scenario are trusted). For (1), I think it's worth investigating exactly what sites rely on. For example, if sites are only relying on IP-based authentication to ensure a response is delivered to that IP address, then we're in good shape, since we can easily implement this by checking for the absence of a cross-domain enabled header. >> So let's take a look at the ACM digital library case. Is there some >> document that describes its use of IP-based authentication? Does the >> resource use this protection to authenticate POST requests, or just >> GET requests? > > I'm not familiar with exactly how it works, but the basic idea is as follows: > > 1) Universities (and other folks) pay money to ACM digital library to > give their networks access to the library. > 2) When I visit the library from the university network, I can > download papers, etc. > 3) When I visit the library from home, I browse the index, but I can't > download the papers. > > I seem to recall that the amount the university pays is somehow > related to how much they use the library, but I don't know what the > mechanism is for this or whether UC Berkeley buys an all-you-can-eat > subscription. So I just did some poking around on the ACM digital library site (I believe my company also has a site license). Only GET requests are made when fetching a paper, so this use-case is not relevant to this discussion. CORS also allows GET requests to be sent without restriction. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Monday, 22 June 2009 20:16:49 UTC