W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: Accessing the same CORS-Resource from multiple sites

From: Reto Gmür <me@farewellutopia.com>
Date: Thu, 30 Jun 2016 13:00:01 +0200
Message-Id: <1467284401.3287300.652964577.040FC47F@webmail.messagingengine.com>
To: Brad Hill <hillbrad@gmail.com>, public-webappsec@w3.org
Thanks for the link, Brad.
I read "An anonymous request can be made by setting the withCredentials
flag on an XMLHttpRequest to `false`, which causes the browser to omit
the Origin and Cookie headers in the request". If I could prevent the
browser from sending an Origin header this would cause the server to
return "*" as value of the Access-Control-Allow-Origin-Header. However
both firefox and chromium sent the Origin header even when
withCredentials is set to false.
On Tue, 28 Jun 2016, at 18:55, Brad Hill wrote:
> If you'd like to comment, I've taken a stab at writing a "CORS for
> Developers" doc we might publish as a Working Group note to try to
> clarify some of this:
> https://docs.google.com/document/d/1AtxTDw-g9BSRW9n9kGTTqNkDTGcVfSKPAOjVGkPFu2k/edit#heading=h.gbk9567omrcz
> On Tue, Jun 28, 2016 at 1:23 AM Reto Gmür
> <me@farewellutopia.com> wrote:
>> On Mon, 27 Jun 2016, at 19:04, Daniel Veditz wrote:
>>> On Mon, Jun 27, 2016 at 5:45 AM, Reto Gmür <me@farewellutopia.com>
>>> wrote:
>>>> It seems that the browser is caching some inferred
>>>> Access-Control-Allow-Origin-Header and then complaining that
>>>> the new
>>>> host doesn't match. Note that the server actually return "*" as
>>>> value of
>>>> the header.
>>> When I tried it didn't return "*", it reflected the requesting host.
>>> This _does_ cause caching issues, and the CORS spec says that if a
>>> site does NOT return "*" it should include Origin in it's Vary
>>> header to prevent incorrect caching.
>>> 6.4 Implementation Considerations
>>> https://www.w3.org/TR/cors/#resource-implementation
>>> Resources that wish to enable themselves to be shared with multiple
>>> Origins but do not respond uniformly with "*" must in practice
>>> generate the Access-Control-Allow-Origin header dynamically in
>>> response to every request they wish to allow. As a consequence,
>>> authors of such resources should send a Vary: Origin HTTP header or
>>> provide other appropriate control directives to prevent caching of
>>> such responses, which may be inaccurate if re-used across-origins.
>>> Since I can't imagine the w3 site wants to return different cards
>>> for TBL depending on who is asking it really ought to be using Access-Control-Allow-
>>> Origin: * rather than reflecting the requesting origin. Blindly
>>> reflecting the origin is almost never a good idea -- that usually
>>> means either the origin doesn't matter (use "*" instead) or you may
>>> be over-sharing data.
>> Thanks Daniel! When I tried with cURL I never sent an "Origin"-header
>> and so the server replied with "Access-Control-Allow-Origin: *".
>> I must say, it doesn't make me very confident that soon more sites
>> will be supporting CORS if not even the W3C manages to configure its
>> server right.
>> Cheers,
>> Reto
Received on Thursday, 30 June 2016 11:00:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:56 UTC