W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2013

CORS headers for Access-Control of secondary resources

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 4 Dec 2013 15:07:05 -0800
Message-ID: <CAPfop_23FCLQmT_zO=KDXu1gqC1fC=9_GM_iGCNUFjiOkQAOHQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi all

I am wondering if we could extend CORS to allow applications to
opt-out of cross-origin inclusion of protected resources.

Currently, CORS headers are not checked for third-party secondary
resource inclusion. For example, imagine vulnerable.com/foo.js
includes data in the script that contains sensitive information based
on user cookies (or parameters in the URL). attacker.com can include
<script src=vulnerable.com/foo.js> and the script will execute in
attacker.com context, allowing the attacker.com to possibly learn some
secret (for how attacker.com can learn secrets in foo.js, see Adam
Barth et al.'s fantastic paper on Rootkits for JavaScript

I was thinking if we could extend CORS to allow vulnerable.com to
opt-in to stricter protection (put another way, opt-out of
cross-origin inclusion). To do this, vulnerable.com could send
Access-Control-Allow-Origin:vulnerable.com and the browser will *only*
include and run the script in the context of vulnerable.com,
disallowing other includes.  This also provides a defense against
other scenarios where secondary resources like images/styles have
secret information in them (not clear how often though).

This isn't a defense for CSRF, since the browser needs to make the
request to decide whether to allow the response to go through. The
browser also doesn't need to send any new headers in the request
(although, sending a origin header will make this proposal a lot more

What do others think?

Received on Wednesday, 4 December 2013 23:07:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:35 UTC