[cors] Two minor processing issues from Philippe De Ryck on 2011-08-03 (public-webapps@w3.org from July to September 2011)

From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Date: Wed, 03 Aug 2011 19:43:28 +0200
To: public-webapps@w3.org
Message-ID: <1312393408.16132.1.camel@maverick>

The following comment contains detailed information about a few issues
that were identified during a recent security analysis of 13 W3C
standards, organized by ENISA (European Network and Information Security
Agency), and performed by the DistriNet Research Group (K.U. Leuven,
Belgium).

The complete report is available at http://www.enisa.europa.eu/html5
(*), and contains information about the process, the discovered
vulnerabilities and recommendations towards improving overall security
in the studied specifications.

 Issues
--------

CORS-SECURE-2.Unnecessary Processing: The CORS specification states that
if a CORS-aware server receives a simple request from an origin, which
cannot get access to the response, no headers should be included. The
client will then prevent the caller from accessing the response. A
question about this decision is why the server should produce a complete
response? 

There are two points in this process where a CORS aware server can
decide to stop processing: immediately after checking the Origin header,
before processing, and after processing, before constructing the full
response body. Returning an empty response at either one of these points
is a clear improvement over the current algorithm. Obviously, the
client-side checking mechanism still remains in place to prevent
unauthorized access to responses coming from legacy servers. 


CORS-ISOLATION-1.Unique Origins: When run in a document with a globally
unique identifier for an origin, the Origin header specification
requires that null should be sent as the value of the Origin header. The
algorithms listed in the CORS specification do not explicitly take the
null value into account, leading to some unlogical scenarios. It is for
instance valid that a request sends origin null and the server responds
with an Allow-Origin header with the value null. 


(*) HTML version of the report is available as well:
https://distrinet.cs.kuleuven.be/projects/HTML5-security/
-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Received on Wednesday, 3 August 2011 17:44:08 UTC