- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 9 Jan 2010 10:20:04 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close <tyler.close@gmail.com> wrote: > If the response can be parsed as ECMAScript, an attacker can break > confidentiality by loading the document using a <script> tag. As Maciej says, just because the server can screw up it's confidentiality doesn't means we should prevent servers from doing the secure thing. By this argument, we should remove the same-origin policy entirely because some sites might have XSS vulnerabilities. > Also, > for any media-type, the attacker can mount a clickjacking attack > against this design. ClickJacking is an integrity attack. I'm worried about confidentiality. > Since in general this design cannot be made safe, > I think it's better to not support it at all in the security model, by > allowing a uniform request to follow a non-uniform redirect. A > security model that works for some media-types but not others is just > too bizarre to explain to developers. That's the security model we have. For example, it's safe to return untrusted HTML tags with certain media types but not with others. > This choice doesn't endanger > existing resources, since CORS also allows a cross-origin request to > follow a redirect that has not opted out of the Same Origin Policy. I'm glad you consider CORS to be the epitome of a secure design. :) (As Maciej says, CORS doesn't appear to have this hole.) Adam
Received on Saturday, 9 January 2010 18:21:05 UTC