- From: Mark S. Miller <erights@google.com>
- Date: Tue, 13 Oct 2009 17:31:02 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: Anne van Kesteren <annevk@opera.com>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Jonas Sicking <jonas@sicking.cc>, Arthur Barstow <Art.Barstow@nokia.com>, public-webapps <public-webapps@w3.org>
On Mon, Oct 12, 2009 at 10:49 PM, Adam Barth <w3c@adambarth.com> wrote: > [...] We should concentrate on the following questions: > > 1) Does CORS introduce security vulnerabilities into legacy servers > that are unaware of the CORS protocol? > 2) How well does CORS support the simple use cases of cross-origin > resource sharing? > 3) Does CORS prevent sophisticated developers from implementing > advanced uses cases? > > Do you find CORS problematic for any of the above questions? Do you > think we should be concerned with other questions? The issue is either #2 or "other question" depending on how you look at it. Let's look at this by analogy. Say we rewind the web prior to the introduction of cookies. Say that web already had cookieless cross-origin form GETs and POSTs. Say cookies were now being proposed in this forum, together with the proposal that cookies be conveyed by those cross-origin form GETs and POSTs. As we now know, this mistake resulted in a confused deputy vulnerability, CSRF, that is now understood to be a big deal. How would an objection in this forum to the introduction of cross-origin cookies have fared at that time by the above criteria? 1) Do cross-origin cookies introduce security vulnerabilities into legacy servers that are unaware of the cross-origin cookie protocol? Since no one yet pays any attention to cookies, adding cookies can't create any vulnerabilities in legacy servers. (And also like CORS, since legacy clients don't send it, it doesn't create any new vulnerabilities for them either). 2) How well do cross-origin cookies support the simple use cases of cross-origin resource sharing? As we all now know, many simple use cases are supported well by cross-origin cookies. 3) Do cross-origin cookies prevent sophisticated developers from implementing advanced uses cases? Clearly not. Adding ignorable cookies doesn't prevent anyone from doing anything they can now do. Q: Do you find cross-origin cookies problematic for any of the above questions? Apparently not, but I have a nagging feeling that I answer #2 too quickly. Q: Do you think we should be concerned with other questions? Yes. Returning from the hypothetical, since we now understand how cross-origin cookies led to CSRF, and since none of the numbered questions would have caught the problem before it was too late, clearly we're missing something. -- Cheers, --MarkM
Received on Wednesday, 14 October 2009 00:31:36 UTC