- From: Maciej Stachowiak <mjs@apple.com>
- Date: Wed, 17 Feb 2010 03:37:29 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
On Feb 17, 2010, at 2:33 AM, Jonas Sicking wrote: > > The goal is to minimize risk that people make mistakes. No one is > disputing that if everyone writes perfect code there won't be security > issues. The problem is that people tend to not write perfect code. > That is the whole reason for having credential-less requests. So that > you know that if you never opt in to allowing credentials, there is no > need to audit the code to ensure that credentials are ignored in the > appropriate places. > > I do sort of like the idea that UMP is the "credential less model". > I.e. that we essentially have two modes: UMP, with no user credentials > (cookies, auth headers, etc) and no server credentials (origin > header), and full on with-credentials (with cookies, origin etc). I agree that two modes is tempting. But I think the middle mode has some valid uses. I mention some below, and there is also the fact that it exactly matches what is implemented in XDomainRequest. > There are a few problems however: > * Need to figure out the syntax to choose between the two modes > * UMP doesn't include the referer header (right?). I suspect sites > will be sad about this as it is often used for things not related to > security. Possibly they'll be sad enough that they'll opt in to > credentials just to get the referrer header sent. That defeats the > purpose of having credential less requests. Even when Referer is stripped, sites may find Origin useful for purposes of logging traffic, or for restricting cross-site access over the Web if a particular site is issuing an abusive level of requests. They may want to do this even for resources that do not require credentials to access. > * Same-site XHR defaults to with-credentials. But cross-site I > strongly want to default to without credentials. This complicates the > syntax issue. Another thing to think about: if any content is doing cross-site access without credentials currently, then they are likely using XHR without a special constructor, and the server is likely responding with "Access-Control-Allow-Origin: *", and without sending "Access- Control-Allow-Credentials: true". If we change cross-site XHR to default to credentials, then all content will break, until at least one of the client code or the server changes. Because if a request is sent with credentials, the response will not be revealed unless the server sends "Access-Control-Allow-Credentials: true". On the other hand, if there are servers that are not checking credentials doing any filtering or logging based on the sender's Origin, then they will break if you default to the UMP model. I think we've been shipping this too long to casually break such sites without looking at the impact. It's also possible that by changing the security model out from under running code, we will introduce a security hole. Regards, Maciej
Received on Wednesday, 17 February 2010 11:38:04 UTC