[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Karp, Alan H
alan.karp at hp.com
Sun Jul 5 22:55:14 EDT 2009
Adam Barth wrote:
>
> The Origin header is used by two draft specifications. To understand
> the discussion, it's important to know which draft we're discussing.
> At the moment, we're talking about CORS. CORS is all about the Acme
> Finace example (i.e., cross-origin resource sharing) and not about the
> bank.com example (i.e., cross-site request forgery).
>
Thanks for the clarification. If I understand correctly, the other spec makes it possible to reject a request from a third party that would be accepted from the user. I understand the motivation for that case because the user has a credential, such as a session key, that the third party does not.
CORS makes it possible to accept a request from a third party that would be rejected if it came from the user. I'm having trouble understanding the value since there is no other credential. The only authentication is the Origin header, which means forgery is trivial. I can't imagine Acme Finance would be happy about paying for a service with such a flaw. Maybe the problem is that I don't understand how the Origin header gets used.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list