Hi All,
I think it would be good if we more explicitly could define the two,
with cookies vs. without cookies, security modes for Access-Control.
Right now the spec talks about the with-credentials flag either being
true or false, however it doesn't really receive as much attention as
for example simple vs. preflighted requests.
I think we should make this a bit more explicit for a couple of reasons:
First of all requests without credentials have vastly different security
considerations than requests with credentials. Basically every server on
the Internet could add an
Access-Control-Allow-Origin: *
header without being concerned about security. It could even always echo
back the Access-Control-Request-Method/Access-Control-Request-Headers as
Access-Control-Allow-Methods/Access-Control-Allow-Headers still without
adding any extra risk around security.
The reason for this is that this would just result in requests and data
disclosure that can already happen on the web today, server-to-server.
Once you add credentials to the requests though you have to be much more
careful not to leak user private information, that you don't allow
operations that require authorization to happen, etc.
Second, it would allow implementations such as Microsofts XDR (if they
end up supporting Access-Control) to more precisely talk about which
parts of the spec they use.
One way to talk about this is as requests for public versus private
resources. This is definitely something we should talk about in the
Security Considerations section (which in general seems to be missing a
part about servers). We should also talk about it in the Processing
Model section.
Let me know what you think.
/ Jonas
