Re: Why the restriction on unauthenticated GET in CORS?

Henry, In my opinion as Chair, there has been broad consensus in the WebAppSec WG that one of the basic design constraints of CORS is that introducing CORS features into browsers not create new security vulnerabilities for existing network deployments. What you are proposing would have that

Re: Why the restriction on unauthenticated GET in CORS?

On 21 Jul 2012, at 15:02, Eric Rescorla wrote: Henry, In my opinion as Chair, there has been broad consensus in the WebAppSec WG that one of the basic design constraints of CORS is that introducing CORS features into browsers not create new security vulnerabilities for existing network

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote: On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote: Isn't this mitigated by the Origin header? No. Could you expand on

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth w...@adambarth.com wrote: On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote: On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote:

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote: On Fri, Jul 20, 2012 at 8:29 AM, Adam Barth w...@adambarth.com wrote: On Thu, Jul 19, 2012 at 7:50 AM, Cameron Jones cmhjo...@gmail.com wrote: On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote: On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote: So, this is a non-starter. Thanks for all the fish. That's why we have the current design. Yes, i note the use of the word current and not final.

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote: On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote: On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote: So, this is a non-starter. Thanks for all the fish. That's why we have the

Re: Why the restriction on unauthenticated GET in CORS?

On 20 Jul 2012, at 18:59, Adam Barth wrote: On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote: On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote: On Fri, Jul 20, 2012 at 4:37 AM, Cameron Jones cmhjo...@gmail.com wrote: So, this is a non-starter.

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote: Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how many systems there are for which this is a

Re: Why the restriction on unauthenticated GET in CORS?

On 20 Jul 2012, at 21:02, Tab Atkins Jr. wrote: On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote: Of course, but you seem to want to support hidden legacy systems, that is systems none of us know about or can see. It is still a worth while inquiry to find out how

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, 20 Jul 2012, Henry Story wrote: How many of those would use ip addresses that are not standard private ip addresses? (Because if they do, then they would not be affected). Of those that do not, would IPV6 offer them a scheme where they could easily use standard private ip

Re: Why the restriction on unauthenticated GET in CORS?

On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote: On 20 Jul 2012, at 18:59, Adam Barth wrote: On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote: On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth w...@adambarth.com wrote: On Fri, Jul 20, 2012 at 4:37

Re: Why the restriction on unauthenticated GET in CORS?

On 21 Jul 2012, at 05:39, Jonas Sicking wrote: On Fri, Jul 20, 2012 at 11:58 AM, Henry Story henry.st...@bblfish.net wrote: On 20 Jul 2012, at 18:59, Adam Barth wrote: On Fri, Jul 20, 2012 at 9:55 AM, Cameron Jones cmhjo...@gmail.com wrote: On Fri, Jul 20, 2012 at 4:50 PM, Adam Barth

Re: Why the restriction on unauthenticated GET in CORS?

On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote: And it is the experience of this being required that led me to build a CORS proxy [1] - (I am not the first to write one, I add quickly) Yes, the Origin and unauthenticated CORS restrictions are trivially circumvented

Re: Why the restriction on unauthenticated GET in CORS?

On 19 Jul 2012, at 14:07, Cameron Jones wrote: On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote: And it is the experience of this being required that led me to build a CORS proxy [1] - (I am not the first to write one, I add quickly) Yes, the Origin and

Re: Why the restriction on unauthenticated GET in CORS?

On Wed, Jul 18, 2012 at 4:41 AM, Henry Story henry.st...@bblfish.net wrote: 2. If there is no authentication, then the JS Agent could make the request via a CORS praxy of its choosing, and so get the content of the resource anyhow. Yes, the restriction on performing an unauthenticated GET

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote: If a mechanism can be found to apply restrictions for private IP ranges then that should be used in preference to forcing the rest of the web to implement CORS restrictions on public data. And indeed the firewall

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 2:54 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote: If a mechanism can be found to apply restrictions for private IP ranges then that should be used in preference to forcing the rest of the web

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote: Isn't this mitigated by the Origin header? No. Also, what about the point that this is unethically pushing the costs of securing private resources onto public access providers? It is far more unethical to expose a

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 3:06 PM, Eric Rescorla e...@rtfm.com wrote: On Thu, Jul 19, 2012 at 6:54 AM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 2:43 PM, Henry Story henry.st...@bblfish.net wrote: If a mechanism can be found to apply restrictions for private IP ranges

Re: Why the restriction on unauthenticated GET in CORS?

On Thu, Jul 19, 2012 at 3:19 PM, Anne van Kesteren ann...@annevk.nl wrote: On Thu, Jul 19, 2012 at 4:10 PM, Cameron Jones cmhjo...@gmail.com wrote: Isn't this mitigated by the Origin header? No. Could you expand on this response, please? My understanding is that requests generate from XHR

Re: Why the restriction on unauthenticated GET in CORS?

On Wed, 18 Jul 2012, Henry Story wrote: So my argument is that this restriction could be lifted since 1. GET is indempotent - and should not affect the resource fetched 2. If there is no authentication, then the JS Agent could make the request via a CORS praxy of its choosing, and so

Re: Why the restriction on unauthenticated GET in CORS?

On 18 Jul 2012, at 05:47, Ian Hickson wrote: On Wed, 18 Jul 2012, Henry Story wrote: So my argument is that this restriction could be lifted since 1. GET is indempotent - and should not affect the resource fetched 2. If there is no authentication, then the JS Agent could make the