[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)

Karp, Alan H alan.karp at hp.com
Fri Jul 3 23:57:49 EDT 2009 

This thread has gone quiet, which is probably why I finally got caught up.  Having read all the messages in a relatively short time, I think I follow the discussion.  Still there's something I don't get about Adam's use case.

First, let's make sure I understand the main motivation for same-origin and CORS.  Alice signs into her bank site, bank.com.  The page she is viewing has an ad in an iframe from evil.com.  Without same-origin, evil.com can submit a request to bank.com that will be honored because Alice's session cookie gets sent with the request.  However, blocking all cross-origin requests prevents some useful things, so specifying evil.com in the Origin header lets bank.com know that Alice didn't make the request.  (Aside: This approach would seem to preclude some useful functions, such as a service that collects info for Alice without being able to spend her money, because the choice is all of Alice's rights or none of them.)

Adam's example seemed quite different.  Alice visits Google Finance.  The page she visits has an iframe from Acme Finance.  Google Finance does not want to give stock ticker info to Alice but it would like to let Acme Finance get that info to show to Alice.  That's not possible with same-origin.  However, the Origin header will tell Google Finance that the request came from Acme Finance.  Most of the discussion on this example centered on the security properties because of the ease of forging an Origin header specifying Acme Finance.  Such a request will be honored because there is no other form of authentication.  Adam said that wasn't an issue.  People wondered why Google Finance won't not honor a request from Alice if the service is so unimportant as to be not worth protecting from such a simple attack.

It seems to me that the reason for the disconnect is that Adam's example doesn't capture the motivation for Origin header proposal.  Is this right?

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list