W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [CORS] Security models and confusion about credentials

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 3 Sep 2013 19:53:35 +0100
Message-ID: <CADnb78iu5OJ_DJh+_C0qar3SW6BsdkgJYZ5WrWA7LQ+tN6mMSg@mail.gmail.com>
To: Austin William Wright <aaa@bzfx.net>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Sep 3, 2013 at 7:36 PM, Austin William Wright <aaa@bzfx.net> wrote:
> Some word on credentials (regardless of origin) would still be relevant for
> Security Considerations. Particularly, how resources can require that
> sending of credentials be disabled. For instance, perhaps you could forbid
> requests containing both Origin and Cookie. (Is there any reason this
> wouldn't work? I don't like the sound of it, as it depends on the user agent
> sending the Origin header.)

It won't work because implementations already do this, sites use it,
and we're not going to break them.


Aside: The web security model is defined by HTML:
http://www.whatwg.org/C Extracting it from there requires lengthy
detailed reading though. This document contains a high-level overview
of some of the concepts and legacy artifacts:
https://tools.ietf.org/html/rfc6454


-- 
http://annevankesteren.nl/
Received on Tuesday, 3 September 2013 18:54:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC