W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 23 Feb 2015 20:06:04 +0100
Message-ID: <CADnb78jZu-n=TbXbeTQbzoFA-psS=oBqf8fMdC=OFFj0nT=_-w@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>, Dale Harvey <dale@arandomurl.com>
On Mon, Feb 23, 2015 at 7:55 PM, Jonas Sicking <jonas@sicking.cc> wrote:
> A lot websites accidentally enabled cross-origin requests with
> cookies. Not realizing that that enabled attackers to make requests
> that had side-effects as well as read personal user data without user
> permission.
> In short, it was very easy to misconfigure a server, and people did.
> This is why I would feel dramatically more comfortable if we only
> enabled server-wide opt-in for credential-less requests. Those are
> many orders of magnitude easier to make secure.

Why is that not served by requiring an additional header that
explicitly opts into that case? That combined with requiring to list
the explicit origin has worked well for CORS so far.

Received on Monday, 23 February 2015 19:06:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC