- From: Doug Schepers <schepers@w3.org>
- Date: Sat, 24 Oct 2009 15:37:44 -0400
- To: public-webapps@w3.org
Hi, David-Sarah- David-Sarah Hopwood wrote (on 10/24/09 2:07 AM): > > Currently, the prevalence and impact of CSRF attacks is limited to some > extent by the same-origin restrictions. The adoption of CORS will remove > part of that limitation. This should be expected to result in more sites > that rely on CORS being vulnerable to CSRF, even though the vulnerabilities > are dependent on the detailed behaviour of those sites and are not a > *direct* consequence of CORS per se. That is, these sites could in principle > avoid such attacks, but only by avoiding the use of ambient authority, and > we know from experience that some proportion of them won't do that. Okay, so, the complaint isn't that CORS itself is insecure, but that people won't know how to use it properly. This is a different problem, with a different solution. I certainly acknowledge your concern, and this is something we need to take seriously. If I understand you correctly, there doesn't seem to be anything about the CORS specification inherently that would cause it to change, nor to prevent it from progressing along the W3C Recommendation Track... rather, the challenge is to properly educate people on its use. We need to make sure that, as a consequence of CORS being enabled, site authors don't misapply the new power they have, to the extent that that is possible. Perhaps at this point we could work on some easy-to-understand tutorials, best practices, or even sample code show what to do and what not to do with CORS (and cross-site scripting in general), which W3C could host alongside CORS, to get the right messages out there. If the security community is willing to write up articles as well, W3C would be happy to link to or host that material. Regards- -Doug Schepers W3C Team Contact, SVG and WebApps WGs
Received on Saturday, 24 October 2009 19:37:49 UTC