W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [CORS] Security models and confusion about credentials

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Sep 2013 10:54:25 +0100
Message-ID: <CADnb78hmOvGLMgAFGq7UUbjat0Ha2Mq_et0eUegM4B0XodvjRQ@mail.gmail.com>
To: Austin William Wright <aaa@bzfx.net>
Cc: WebAppSec WG <public-webappsec@w3.org>
We've had this discussion before. See
and elsewhere. I'm not particularly interested in going through that
again. The web has cookies, CORS can deal with user credentials, it
can also deal without user credentials. The former requires way more

On Sun, Sep 1, 2013 at 9:46 PM, Austin William Wright <aaa@bzfx.net> wrote:
> In four places, the report says:
>     Note: [CORS] The string "*" cannot be used for a resource that supports
> credentials.
> One, this note is only informative, where is this normatively specified?

In the user agent section.

It might help to read http://fetch.spec.whatwg.org/ which is a revised
take on CORS (its replacement) and fetching resources on the web in

> Two, is there some guarantee that a CORS-compliant user-agent will not send
> credentials with a request that will be readable?

It won't expose the response unless the response opted in. For some
definition of "readable". Note that e.g. without CORS you can display
an image from a different origin with credentials included, which does
expose some information (existence, height/width).

> Three, I desire to expose all the HTTP headers to XMLHttpRequest and other
> APIs (on the basis that if I didn't want the user-agent to know about it, I
> wouldn't send the header). Is there some reason this might be dangerous? And
> is there some method of specifying this? I cannot be sure of which headers,
> exactly, will be sent with the actual request, when processing the
> pre-flight request. It seems like the solution is to list every single
> header I could possibly send as `Access-Control-Expose-Headers`, which seems
> excessive.

Excessive it has to be. We don't want people to accidentally expose
debug headers.

> One, why are they called "credentials"?

Because that's a common term for this. The term is defined, it's fine.

> And two, section 6.1 "Simple Cross-Origin Request, Actual Request, and
> Redirects" has this note:
>     Note: By not adding the appropriate headers resource can also clear the
> preflight result cache of all entries where origin is a case-sensitive match
> for the value of the Origin header and url is a case-sensitive match for the
> URL of the resource.
> I don't believe this makes grammatical sense (is there a missing "the"
> before "resource"?)

I can't fix this. Brad?

Received on Tuesday, 3 September 2013 09:54:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC