RE: CfC: CORS to advance to Last Call

Sorry to join the discussion late. (thanks for including us, Thomas)

I've gone back to the Don't Be a Deputy (DBAD) and CORS vs. UMP conversations archived in various places.  While I was not a participant at the time and my context is limited, it appears to me the discussions conflated a number of issues, and many have been addressed by the current design of CORS.  As co-chair of the new WG now shepherding these specs, I have made a personal appeal to Mark Miller and Tyler Close to bring any remaining issues they have to the us, but haven't received a response.  

The ability of web browsers to be abused as deputies is considerable, and has been for a long time, independent of CORS or XHR.  With the restrictions on non-simple methods, I don't believe CORS as currently specified gives qualitatively new or different capabilities to a would-be CSRF attacker.  The attacks I find described in the DBAD discussions can be accomplished with cross-origin POSTs from almost the beginnings of the Web.  Most don't even need a scriptable user-agent.

I can understand how the CORS vs. UMP debate *occasioned* a larger discussion about the architecture of the web and ambient authority, but it seems it was a philosophical argument, with CORS as a representative of the status quo, not as a harbinger of new vulnerabilities.  The question of cross-origin ambient authority in the user-agent was and remains bigger than and orthogonal to CORS, and one that shouldn't hold it back from going to LC.  If a decision is eventually reached that the ambient authority implied by the architecture of the Web must be curtailed, patching user-agents to force "Access-Control-Allow-Credentials: false" will be possibly the smallest and easiest change the community will have to make.

Brad Hill
Co-chair, WebAppSec WG

Received on Friday, 23 December 2011 17:40:11 UTC