Re: file sharing services from Jonas Sicking on 2011-12-02 (public-webapps@w3.org from October to December 2011)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 1 Dec 2011 16:17:34 -0800
To: Charles Pritchard <chuck@jumis.com>
Cc: Yehuda Katz <wycats@gmail.com>, "Tab Atkins Jr." <jackalmage@gmail.com>, Nicolas Mollet <nico.mollet@gmail.com>, public-webapps@w3.org
Message-ID: <CA+c2ei85J4MQYnrdADbXXOeoWqsKBq_RD-AJJJxb5-kSLDA4Cg@mail.gmail.com>

On Thu, Dec 1, 2011 at 3:58 PM, Charles Pritchard <chuck@jumis.com> wrote:
> On 12/1/11 3:48 PM, Jonas Sicking wrote:
>>
>> On Thu, Dec 1, 2011 at 1:51 PM, Charles Pritchard<chuck@jumis.com>  wrote:
>>>
>>> There are serious security implications for enabling CORS, even with
>>> session-less requests.
>>> It's going to be a very long opt-in process for file sharing services.
>>
>> This is a very strong statement backed up by absolutely no information
>> or data at all. Not very convincing.
>>
>> Please clarify what you are referring to.
>
> Direct and anonymous read access is a very new thing.
>
> At it's most basic: UAs have always required a server, somewhere, to proxy
> anonymous requests. With direct access, items like IP-based security and
> auditing are not as reliable. It'd be very easy to do screen scraping on
> sites that don't particular want scraping to be done.

Please clarify what you mean by "like IP-based security". It seems to
me that it's *only* IP-based security that is affected.

> While it's easy now, it has to be done from the server-side. When hosts open
> up their servers, they're allowing it to be done client-side.

How does it makes a difference that it can be done client-side rather
than server-side? Beyond IP-based security that is.

In other words, I can see that if you're deploying IP-based filters to
attempt to make certain parties unable to scrape your website you'll
have a harder time doing this if you're also sending a
"Access-Control-Allow-Origin: *". However you'd already signed up for
a basically impossible task since it's very easy for a screen-scraper
to proxy their requests through various parties around the globe in
order to avoid IP-based filters.

The one threat that I can see is if your website does IP-based
authorization. I.e. automatically giving certain people access to
private areas of your website if their request come from certain
IP-numbers.

But even then, I *think* sending "Access-Control-Allow-Origin: *" only
allows for additional *reading* attacks. Requests that have
side-effects can still be placed by faking which IP number they
originate at. I'm not fully sure about this though. Someone that knows
TCP/IP infrastructure better than me should confirm.

Are these IP-based filters that you are referring to when you are
saying "serious security implications"? Are they really common? I've
never heard of sites doing that but I'm sure they exist.

And to be even more on-topic, does Photobucket or Dropbox use IP-based
filters to prevent read access?

/ Jonas

Received on Friday, 2 December 2011 00:18:38 UTC