The proposal doesn't talk on eliminating timing-based fingerprinting
possibilities though, which might not be relevant since all internal
resources will be "protected" from outside by default, but worth a
discussion. Like making sure "made up" network error timings are intact
with real network error timings.
On Mon, Jan 4, 2016 at 5:10 AM, Mike West <mkwst@google.com> wrote:
> Happy new year, WebAppSec! This seems like a lovely time to rekindle the
> fire under the public/private origin restriction that we removed from Mixed
> Content way back in 2014 (
> http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin).
>
> I've put together a kinder, gentler take on hardening the user agent
> against the kinds of attacks that such requests enable:
> https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only
> poked at it sporadically over the holidays, but I think there's enough
> there to get a conversation going.
>
> In a nutshell, the proposal is to require a CORS-preflight request for
> requests initiated from the public internet which target private IP space.
> This preflight requires an opt-in on the part of the intranet server via a
> new CORS header, but doesn't block the requests entirely (which was a
> failing of the initial proposal). I imagine this server-side opt-in being
> combined in some intelligent way with a user-side opt-in (Presto-style
> interstitial? permission request?), but I haven't explored anything in that
> direction.
>
> CCing a few folks who've commented on the topic in the past; I imagine
> you'll have opinions. :)
>
> -mike
>