W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2017

Re: Improving CORS security

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 12 May 2017 11:18:17 -0700
Message-ID: <CADYDTCCz5sGc9=npAYmao9sN+GRvSY38feA-c-ustA4=+btj0A@mail.gmail.com>
To: James Kettle <james.kettle@portswigger.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, May 12, 2017 at 10:20 AM, James Kettle <james.kettle@portswigger.net
> wrote:

> I think this would need to support credentials for anyone to use it. I
> agree that trusting all subdomains isn't really a great idea, but it's a
> common use case and if you enforced a rule like '* must be followed by .'
> you could help out the many sites making Zomato's mistake of trusting
> literally everything that ends in zomato.com, including notzomato.com

​Wildcards in CSP directives have this requirement (apart from​ standalone
"*"). Completely reasonable.

Maybe mixed content was a poor choice of terminology. I think this
> suggestion might have been misunderstood slightly. I'm suggesting that an
> application that specifies ACAO: true and ACAO: <some HTTP origin> should
> have the ACAC flag ignored. I don't see how this will making upgrading
> sites to HTTPS harder, since as Anne said the standard approach is to
> upgrade CDNs first and the application afterward, and it's only
> applications that care about allowing credentials.

​Does Google have any telemetry on how often http->https XHR/fetch
explicitly request credentials? Mozilla mixed-content telemetry ignores
insecure documents so we don't have any.

​Dan VEditz​
Received on Friday, 12 May 2017 18:19:41 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:01 UTC