W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2012

Re: Why the restriction on unauthenticated GET in CORS?

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 20 Jul 2012 20:39:05 -0700
Message-ID: <CA+c2ei9Y70uhC+T3orgdM3_U7jQvnMt77j+6Tu+tonAM+3qWPw@mail.gmail.com>
To: Henry Story <henry.story@bblfish.net>
Cc: Adam Barth <w3c@adambarth.com>, Cameron Jones <cmhjones@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, Jul 20, 2012 at 11:58 AM, Henry Story <henry.story@bblfish.net> wrote:
> On 20 Jul 2012, at 18:59, Adam Barth wrote:
>> On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones <cmhjones@gmail.com> wrote:
>>> On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth <w3c@adambarth.com> wrote:
>>>> On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones <cmhjones@gmail.com> wrote:
>>>>> So, this is a non-starter. Thanks for all the fish.
>>>> That's why we have the current design.
>>> Yes, i note the use of the word "current" and not "final".
>>> Ethics are a starting point for designing technology responsibly. If
>>> the goals can not be met for valid technological reasons then that it
>>> a unfortunate outcome and one that should be avoided at all costs.
>>> The costs of supporting legacy systems has real financial implications
>>> notwithstanding an ethical ideology. If those costs become too great,
>>> legacy systems loose their impenetrable pedestal.
>>> The architectural impact of supporting for non-maintained legacy
>>> systems is that web proxy intermediates are something we will all have
>>> to live with.
>> Welcome to the web.  We support legacy systems.  If you don't want to
>> support legacy systems, you might not enjoy working on improving the
>> web platform.
> Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a problem, if any. That is:
>   a) systems that use non standard internal ip addresses
>   b) systems that use ip-address provenance for access control
>   c) ? potentially other issues that we have not covered

One important group to consider is home routers. Routers are often
secured only by checking that requests are coming through an internal
connection. I.e. either through wifi or through the ethernet port. If
web pages can place arbitrary requests to such routers it would mean
that they can redirect traffic arbitrarily and transparently.

/ Jonas
Received on Saturday, 21 July 2012 03:40:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:28 UTC