On Tue, Jun 9, 2009 at 2:52 PM, Adam Barth<[email protected]> wrote: > On Tue, Jun 9, 2009 at 2:20 PM, Tyler Close<[email protected]> wrote: >> I had thought CORS, by it's use of Origin, was meant to be a safe >> replacement for JSON-P. > > Can you explain again how the attack works for Origin-header-for-CORS? > Keep in mind that the response is delivered to the original > requester, who should be accurately identified by the Origin header > (even through redirects).
But the side-effects of the request still happen. The attacker can cause mutation of server-side state belonging to the victim user. I believe the scenario in the first email works as described in CORS. I don't see anything in the CORS redirect steps that changes the Origin processing from what is described in your I-D. http://www.w3.org/TR/access-control/#redirect-steps These documents really need to state that they are only addressing messaging between mutually trusting sites. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
