Re: [CORS] Security models and confusion about credentials from Anne van Kesteren on 2013-09-03 (public-webappsec@w3.org from September 2013)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Sep 2013 10:54:25 +0100
To: Austin William Wright <aaa@bzfx.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CADnb78hmOvGLMgAFGq7UUbjat0Ha2Mq_et0eUegM4B0XodvjRQ@mail.gmail.com>

We've had this discussion before. See
http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/thread.html#msg1215
and elsewhere. I'm not particularly interested in going through that
again. The web has cookies, CORS can deal with user credentials, it
can also deal without user credentials. The former requires way more
opt-in.

On Sun, Sep 1, 2013 at 9:46 PM, Austin William Wright <aaa@bzfx.net> wrote:
> In four places, the report says:
>
>     Note: [CORS] The string "*" cannot be used for a resource that supports
> credentials.
>
> One, this note is only informative, where is this normatively specified?

In the user agent section.

It might help to read http://fetch.spec.whatwg.org/ which is a revised
take on CORS (its replacement) and fetching resources on the web in
general.

> Two, is there some guarantee that a CORS-compliant user-agent will not send
> credentials with a request that will be readable?

It won't expose the response unless the response opted in. For some
definition of "readable". Note that e.g. without CORS you can display
an image from a different origin with credentials included, which does
expose some information (existence, height/width).

> Three, I desire to expose all the HTTP headers to XMLHttpRequest and other
> APIs (on the basis that if I didn't want the user-agent to know about it, I
> wouldn't send the header). Is there some reason this might be dangerous? And
> is there some method of specifying this? I cannot be sure of which headers,
> exactly, will be sent with the actual request, when processing the
> pre-flight request. It seems like the solution is to list every single
> header I could possibly send as `Access-Control-Expose-Headers`, which seems
> excessive.

Excessive it has to be. We don't want people to accidentally expose
debug headers.

> One, why are they called "credentials"?

Because that's a common term for this. The term is defined, it's fine.

> And two, section 6.1 "Simple Cross-Origin Request, Actual Request, and
> Redirects" has this note:
>
>     Note: By not adding the appropriate headers resource can also clear the
> preflight result cache of all entries where origin is a case-sensitive match
> for the value of the Origin header and url is a case-sensitive match for the
> URL of the resource.
>
> I don't believe this makes grammatical sense (is there a missing "the"
> before "resource"?)

I can't fix this. Brad?

-- 
http://annevankesteren.nl/

Received on Tuesday, 3 September 2013 09:54:52 UTC