- From: Mike West <mkwst@google.com>
- Date: Wed, 10 May 2017 12:13:58 +0200
- To: James Kettle <james.kettle@portswigger.net>, Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cmYCd=8iD93Nja2d6cLqJ5h2EtdgLLnD4MjBCPmfJn1Q@mail.gmail.com>
Thanks, James! On Tue, May 9, 2017 at 5:41 PM, James Kettle <james.kettle@portswigger.net> wrote: > We could reduce the number of sites forced to do dynamic generation by: > > - Enabling static trust of multiple origins by supporting a > space-separated list of origins > - Enabling static trust of all subdomains by supporting the use of partial > wildcards like https://*.example.com > +Anne, who will have opinions. > Trusting the 'null' origin is equivalent to trusting * except it's less > obviously risky, and actually more dangerous since the allow-credentials > exception for * doesn't apply to null. I think it may be helpful to apply > the allow-credentials exception to 'null'. > For clarity, you're suggesting that `Access-Control-Allow-Origin: null` should not be allowed if the request included credentials (in the same way that we block `Access-Control-Allow-Origin: *`)? I think I could get behind that, depending on usage in the wild. Websites accessed over HTTPS can use CORS to grant credentialed access to > HTTP origins, which partially nullifies their use of HTTPS. Perhaps > browsers' mixed content protection should block such requests, or at least > disable allow-credentials for HTTP->HTTPS requests. > Interesting. You're suggesting that `https://example.com/` should not be able to send `Access-Control-Allow-Origin: http://whatever.com`? That sounds reasonable on the one hand, but I suspect that it's widely used on the other (all (I hope) Google API endpoints are HTTPS, for example, but not all of those APIs' clients will be). I'll add some metrics to Chrome to see if that suspicion is borne out. > I've written a longer blog post on this topic over at > http://blog.portswigger.net/2016/10/exploiting-cors- > misconfigurations-for.html and I'll be presenting on this topic at AppSec > EU on Friday so feel free to say hi if you're around. > Looking forward to catching the recording. :) -mike
Received on Wednesday, 10 May 2017 10:14:52 UTC