On Jan 9, 2010, at 1:57 PM, Tyler Close wrote:
On Sat, Jan 9, 2010 at 10:20 AM, Adam Barth <[email protected]> wrote:
(As Maciej says, CORS doesn't appear to have this hole.)
Indeed, I misread the section on simple requests:
http://www.w3.org/TR/access-control/#simple-cross-origin-request0
I didn't realize the algorithm was checking the response headers in
several different places. I guess that's one of the dangers of an
algorithmic specification: you must have the whole thing in mind
before you can make any statements about what it does or does not do.
Given this correction, I'm reconsidering following of non-uniform
redirects. I still don't like that it makes it look like your example
design is safe, when in fact there are several non-confidentiality
problems with it, and using JSON for the final response also breaks
confidentiality.
Thanks for giving this another look.
As Maciej says, just because the server can screw up it's
confidentiality doesn't means we should prevent servers from doing
the
secure thing. By this argument, we should remove the same-origin
policy entirely because some sites might have XSS vulnerabilities.
Deciding to use a popular and standard media-type in its intended
setting is not at all comparable to filling your site with XSS
vulnerabilities. I did not read Maciej's email as suggesting
otherwise.
I don't think I suggested otherwise, nor do I think Adam suggested
that I suggested otherwise. What I meant to say was that the weak
confidentiality protection for ECMAScript should not be used as an
excuse to weaken protection for other resources. This is a leaky and
awkward hole but it does not justify ignoring more general
confidentiality concerns in any context.
Adam's analogy was that the widespread existence of XSS bugs is not a
reason to remove all cross-domain protection either. While it's not a
100% on-point analogy, I got the point he was making and I recognize
that it is similar to my own.
Regards,
Maciej
