- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 23 Feb 2015 20:06:04 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Dale Harvey <dale@arandomurl.com>
On Mon, Feb 23, 2015 at 7:55 PM, Jonas Sicking <jonas@sicking.cc> wrote: > A lot websites accidentally enabled cross-origin requests with > cookies. Not realizing that that enabled attackers to make requests > that had side-effects as well as read personal user data without user > permission. > > In short, it was very easy to misconfigure a server, and people did. > > This is why I would feel dramatically more comfortable if we only > enabled server-wide opt-in for credential-less requests. Those are > many orders of magnitude easier to make secure. Why is that not served by requiring an additional header that explicitly opts into that case? That combined with requiring to list the explicit origin has worked well for CORS so far. -- https://annevankesteren.nl/
Received on Monday, 23 February 2015 19:06:28 UTC