Re: CORS Last Call status/plans? [Was: Re: [UMP] Request for Last Call] from Maciej Stachowiak on 2010-04-19 (public-webapps@w3.org from April to June 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 19 Apr 2010 00:41:48 -0700
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Ben Laurie <benl@google.com>, Tyler Close <tyler.close@gmail.com>, Arthur Barstow <Art.Barstow@nokia.com>, ext Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
Message-id: <CDFB564D-BAE8-4D23-942A-0E17EE6D9548@apple.com>

On Apr 19, 2010, at 12:37 AM, Julian Reschke wrote:

> On 19.04.2010 09:27, Maciej Stachowiak wrote:
>>
>> On Apr 18, 2010, at 9:56 AM, Julian Reschke wrote:
>>
>>> On 18.04.2010 14:35, Ben Laurie wrote:
>>>> In general, whitelists are bad because they close extension points.
>>>> Please consider using a black list instead.
>>>>
>>>>
>>>> In general, blacklists are bad because they open security holes.
>>>
>>> My experience is that people work around white lists by tunneling
>>> information through the parts they are allowed to use. That doesn't
>>> help at all, because it makes detecting and blocking the bad stuff
>>> even harder (example: tunneling other HTTP methods through POST  
>>> using
>>> a "method override" request header).
>>
>> The security concern would be about accidental exposure, not  
>> deliberate
>> tunneling of additional info. It's fine for two cooperating parties  
>> to
>> send each other more information on purpose.
>
> Please consider this:
>
> Blocking unknown response headers means taking away an extension  
> point. On the other hand, right now we are actually also discussing  
> *adding* an extension header ("U", for opt-in).

So far only one person has proposed a header named "U", I don't think  
a header with that specific name is a great idea. That being said,  
explicit opt-in to exposing more response headers seems both useful  
and safe.

> This obviously would be impossible if another layer (say proxies)  
> would already block that.

It wouldn't be impossible, it just wouldn't have the desired end-to- 
end effect. But proxies are already not allowed to remove random  
response headers.

> Don't do to others what you don't want to be done to yourself.
>
> Blacklist things when there is a problem.

I think a whitelist with opt-in exceptions strikes the right balance  
between security and extensibility. You haven't provided any reasons  
why that's not good enough.

Regards,
Maciej

Received on Monday, 19 April 2010 07:42:22 UTC