W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Reports feature violates the same-origin policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 15 Feb 2017 16:51:15 +0100
Message-ID: <CADnb78jVf1FCDOEusCKXnjnFvykfoGf-0rr_KMfcWzkWL+AJfw@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Reports go across origins and don't follow the MIME type safelist from
CORS/HTML forms. It seems problematic that we keep breaking our own
rules with regards to the same-origin policy, especially as it doesn't
seem to happen on purpose.

Note that simply adding these MIME types to the safelist would not be
great either, as the servers that are currently "guaranteed" to get
JSON (depends a little bit on whether tokens are used or whether it's
an intranet as I believe credentials are not included in these
reports), might then be able to get more carefully crafted attack
payloads.


-- 
https://annevankesteren.nl/
Received on Wednesday, 15 February 2017 15:51:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC