W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [CORS] Security models and confusion about credentials

From: Austin William Wright <aaa@bzfx.net>
Date: Thu, 5 Sep 2013 11:37:13 -0700
Message-ID: <CANkuk-UV9Hg4jnAa2PPZ6=FAg1Njs1cFaqWnvHjPvvvOWs_8hw@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Hill, Brad" <bhill@paypal-inc.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Sep 3, 2013 at 11:53 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Sep 3, 2013 at 7:36 PM, Austin William Wright <aaa@bzfx.net>
> wrote:
> > Some word on credentials (regardless of origin) would still be relevant
> for
> > Security Considerations. Particularly, how resources can require that
> > sending of credentials be disabled. For instance, perhaps you could
> forbid
> > requests containing both Origin and Cookie. (Is there any reason this
> > wouldn't work? I don't like the sound of it, as it depends on the user
> agent
> > sending the Origin header.)
> It won't work because implementations already do this, sites use it,
> and we're not going to break them.

I mean writing a section in Security Concerns for servers/resource authors,
on what a server should to do to ensure that clients cannot make requests
with credentials (regardless of origin). Or to the extent they can, that
the request isn't processed by the server and the response be unreadable by
the script.

But on the topic of user agents, the solution isn't any different than any
other security hole. It doesn't matter how long the hole has been around,
you _fix it_. Security is more important than reverse compatibility,
efficiency, or any other concern.

> Aside: The web security model is defined by HTML:
> http://www.whatwg.org/C Extracting it from there requires lengthy
> detailed reading though. This document contains a high-level overview
> of some of the concepts and legacy artifacts:
> https://tools.ietf.org/html/rfc6454

RFC 6454 isn't marked as obsolete? And I'm purposefully keeping the
discussion of particular technologies as generic as possible. None of this
discussion depends on HTML or Web browsers: I'm not just using HTML, but
JSON Hyper-Schema and scripting embedded in RDF; and I'm not just using Web
browsers, but other user agents like highly coupled HTTP clients and
spiders alike, that consume specific media types (e.g. "JSON-formatted
GitHub commit data, version 3") and self-describing, generic media types
(JSON and RDF as mentioned above), respectively. What an HTML specification
says to these technologies is out-of-scope. And try as it might, I don't
believe HTML can normatively define scripting-related concerns any more
than it could re-define HTTP (it doesn't appear that's in-scope anyways, by
the HTML WG charter).
Received on Thursday, 5 September 2013 18:37:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC