Re: CORS from Tab Atkins Jr. on 2017-10-11 (public-webapps@w3.org from October to December 2017)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 11 Oct 2017 15:27:09 -0700
To: "Jack (Zhan, Hua Ping)" <jackiszhp@gmail.com>
Cc: Florian Bösch <pyalot@gmail.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CAAWBYDB00BjmhwLfUxOgdtNSoU80Bfv3jTcnXCk4C9t7YMgpgQ@mail.gmail.com>

On Wed, Oct 11, 2017 at 3:00 PM, Jack (Zhan, Hua Ping)
<jackiszhp@gmail.com> wrote:
>>> I have already responded this to Tab Atkins as follows:
>> You have not. And I ask again. How do you instruct a browser which resource
>> is ok to request from another origin?
>
> When I said "as follows:", the answer text followed. And I elaborated
> a bit more than asked, and at the end I challenge you to defeat me.
> Please read that or here:
> http://lists.w3.org/Archives/Public/public-webapps/2017OctDec/0024.html
> There is no point for me to copy it here again.
>
> But in one sentence: I do not need the browser to do the authorization
> check for me, I do the authorization check myself at server
> https://bankA.com/.

And that's the thing. *You* might do that, and be safe from evil
websites grabbing your customer's personal information. Long, painful
experience shows us that *most* websites do *not* do that.

So, we have two choices:
1. Make websites default to being "open" cross-origin, and depend on
website owners to lock down pages with private info on their own. Pro:
good websites can share information cross-origin really easily. Con: a
lot of people get their private information stolen, and the web as a
whole has sucky security.
2. Make websites default to being "closed" cross-origin, and let
website owners explicitly open them up if they're safe to share. Pro:
most pages are safe from evil websites by default. Con: slightly more
work for websites to share public information.

The web went with #2, and as a result you have good security by
default.  (As Jake has said, some resources that were linkable in the
early web, like images, are stuck with #1. Changing them at this point
would break too much of the web, but as a result we have regular
security issues.)

This is a result of pretty basic security practices that are now
common on the web.  It's not going to change.  You've had the
reasoning behind CORS explained to you several times, and why your
suggestions for an alternate system would be bad for security and
won't be accepted by browsers today.

Unless you have further actual questions, continuing in this thread
will not be productive. You will not change anyone's minds, because
we've thought about the security implications quite a bit before
settling on the current CORS design.  It's a compromise, and has some
downsides, but overall it results in a much safer web with relatively
little pain.

~TJ

Received on Wednesday, 11 October 2017 22:28:03 UTC