Re: CORS Header Filtering? from Tyler Close on 2010-05-12 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 May 2010 13:16:44 -0700
To: nathan@webr3.org
Cc: Devdatta <dev.akhawe@gmail.com>, public-webapps <public-webapps@w3.org>
Message-ID: <AANLkTimaKJJ_6JE8rPfBYHutAz2QHxphKlHTxlvu0OkI@mail.gmail.com>

On Wed, May 12, 2010 at 1:05 PM, Nathan <nathan@webr3.org> wrote:
> Tyler Close wrote:
>>
>> On Wed, May 12, 2010 at 12:33 PM, Nathan <nathan@webr3.org> wrote:
>>>
>>> Yes,
>>>
>>> The simplest argument I can give is that we (server admins) are trusted
>>> to
>>> set the CORS headers, but not to remove any headers we don't want an XHR
>>> request to see - this is frankly ridiculous.
>>
>> The problem is there might not be a single server admin but many.
>> Quoting from the UMP spec:
>>
>> """
>> Some HTTP servers construct an HTTP response in multiple stages. In
>> such a deployment, an earlier stage might produce a uniform response
>> which is augmented with additional response headers by a later stage
>> that does not understand a uniform response header. This later stage
>> might add response headers with the expectation they will be protected
>> by the Same Origin Policy. The developer of the earlier stage might be
>> unable to update the program logic of the later stage. To accommodate
>> this deployment scenario, user-agents can filter out response headers
>> on behalf of the server before exposing a uniform response to the
>> requesting content.
>> """
>>
>> http://dev.w3.org/2006/waf/UMP/#response-header-filtering
>>
>> I believe the design presented in UMP for response header filtering
>> addresses all use-cases, including your "Location" header example
>> below.
>
> Yes that pretty much covers it, can you confirm if "Uniform-Headers" would
> include the Link header as white-listed? That's the last remaining crucial
> one not covered. (Link header is standards track now).

The response would have to also include the header "Uniform-Headers: Link"

> BTW: I will point out that I hadn't reviewed the UMP spec yet so thisn't
> isn't any political or preference thing.
>
> I still stand by my statement though, CORS cannot possible go through to REC
> status without the headers whitelisted in UMP + the Link header.
>
> Although my preference for both specs would be a Blacklist..

We can't know the names of all the possibly dangerous headers. A
dynamic whitelist defined by the server is the best we can do.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 12 May 2010 20:17:29 UTC