W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

Re: CORS and 304

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 4 Dec 2013 11:51:49 -0800
Message-ID: <CA+c2ei-AifNw1pw+tKJvaTLbbEyzp_Z6RtngcPdUW2NGWiug2g@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Karl Dubost <karl@la-grange.net>, Mark Nottingham <mnot@mnot.net>, Odin HÝrthe Omdal <odinho@opera.com>, Julian Reschke <julian.reschke@gmx.de>, Adam Barth <w3c@adambarth.com>, WebAppSec WG <public-webappsec@w3.org>
On Dec 4, 2013 4:15 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
> On Wed, Dec 4, 2013 at 11:38 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> > So you mean that if a CGI does a 304 redirect and sends some response
> > headers and a response body, then apache will filter out the headers but
> > send the 304 and the body? Is this specific to 304s?
>
> 304 is not strictly a redirect. 304 is "Not Modified". An indication
> from the server that you can use the cached copy.

Doh! I forgot that's what it means.

However I would say that we then definitely need to require CORS headers
unfortunately.

Otherwise it means that you can just read 304 responses from any website
without any security checks at all. And I think making the claim that a 304
response couldn't possibly contain sensitive data is too bold of a claim.

For example it would let me see when you last got money deposited into your
bank account by polling the "show account summary" URL with different
if-modified-since dates. Any time I get back a 304 it means that the date
used was more recent than when you received money.

Yes, the apache behavior is a problem, but I don't see that we can simply
skip doing any and all security checks.

However, in most cases when 304 responses are involved the website doesn't
actually see the 304 response. Most of the time the website makes a request
for a resource. If the UA has that resource cached, it will then make a
if-modified-since request. If a 304 is returned, without cors headers, then
the UA will return the originally cached response. If this cached response
does have the appropriate cors headers then permission should be granted.

/ Jonas
Received on Wednesday, 4 December 2013 19:52:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC