Hi All,
Since I haven't received any feedback on the various straw-men in the
"Opting in to cookies" thread, I'll send a full proposal (wrote most of
this yesterday, Thomas wrote some opinions on cookies this morning).
First off, as before, when I talk about "cookies" in this mail I really
mean cookies + digest auth headers + any other headers that carry the
users credentials to a site. However i'll just use the term "cookies"
for readability, and since that is on the web currently the most
common carrier of credentials.
So here goes:
When loading a resource using access-control associate the request with
a "with credentials" flag.
When the resource is loaded using an URI which starts with the string
"user-private:" set the "with credentials" flag to true. Otherwise set
it to false.
Make the following modifications to the Access Control Check Algorithm
(as described in section 5.2.1):
Add a step before step 1 that says:
If the "with credentials" flag is true and the HTTP header
"Access-Control-Allow-Credentials" is missing or not set to the
value "all" then return "fail".
Also insert a step between step 3 and step 4 that says:
If the "with credentials" flag is true then terminate the
algorithm and return "fail".
When doing a Simple Cross-Site Access Request (section 5.1.3)
credentials are only sent in the request in step 3 if the "with
credentials" flag is true.
When doing a Cross-Site Access Request with Preflight (section 5.1.4)
make the following modifications:
Entries in the access preflight result cache (section 5.1.4) are
modified such that they include a "with credentials" field.
Change the first paragraph in step 5 to say:
Locate the entry in the preflight result cache where the origin
matches the origin field value, and the current request URI is
identical to the uri field value or starts with the uri prefix field
value. If there is such an entry and that entry has the "with
credentials" field value set to false, and the "with credentials"
flag for the request is set to true, terminate the algorithm and
return "fail". Otherwise, if an entry was located, proceed to the
next step.
Modify the last sentence of the paragraph in step 7 to say:
Then append a cache entry and set the uri prefix field value for
that entry to the policy URI, and the "with credentials" to true if
the response contained a "Access-Control-Allow-Credentials" HTTP
header with the value "all", or false otherwise.
The result of this is that adding the header
"Access-Control-Allow-Credentials: all" allows the server to opt in to
receiving cookies. This header is only applied to Access-Control
headers, not <?Access-Control?> PIs.
A nice side effect is that is that if there is no way to use cookies
together with the <?Access-Control?> PI. This means that if an attacker
somehow manages to modify the content of a reply in such a way that a
Access-Control PI is inserted, most of the time no dangerous requests
can be made, and no private data can be leaked. The exception is when
the server is protected by a firewall, however that is much less common,
especially for such servers to participate in mashups.
This should make keeping the <?Access-Control?> PI in the spec
significantly less likely to cause exploitable servers.
/ Jonas
