W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Mike West <mike@mikewest.org>
Date: Wed, 15 Feb 2017 17:56:39 +0100
Message-ID: <CAJToGzNBB0xz5A_B0teh39onvb4fohVBm4smZw4U3Y+DEiZZ7Q@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 4:51 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Reports go across origins and don't follow the MIME type safelist from
> CORS/HTML forms. It seems problematic that we keep breaking our own
> rules with regards to the same-origin policy, especially as it doesn't
> seem to happen on purpose.
>

I agree that we're not doing a great job here. Practically, I'm not
terribly worried about this since the browser remains in control of the
payload's content and structure. It is, however, clearly a blot on our
record if we're exempting ourselves from certain rules without explaining
how that could possibly be justified.

This is an issue for CSP, and for the upcoming
https://wicg.github.io/reporting/.


> Note that simply adding these MIME types to the safelist would not be
> great either, as the servers that are currently "guaranteed" to get
> JSON (depends a little bit on whether tokens are used or whether it's
> an intranet as I believe credentials are not included in these
> reports), might then be able to get more carefully crafted attack
> payloads.
>

I agree with your analysis about this course of action. Given that it seems
like a bad idea, what would you suggest that we do?

-mike
Received on Wednesday, 15 February 2017 16:57:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC