[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Sandro Magi
naasking at higherlogics.com
Mon Jul 6 09:38:48 EDT 2009
Ben Laurie wrote:
> And neither Google nor Acme Finance care if users forge the header and
> thus get access themselves?
>
> Its pretty clear (I think) that this problem is just plain insoluble
> if the aim is to go via the (untrusted) browser, so the main thing is
> to make it explicit, I guess.
The CORS solution assumes a largely trusted install base of browsers, in
the sense that they correctly implement the CORS spec. The assumed
attack vectors are malicious sites, not users, and CORS aims to protect
users and other sites from abuse. This is a legitimate reflection of the
current situation on the web, though not necessarily the future situation.
Systems which expose valuable data such that user-level forgery is a
relevant attack vector, cannot rely on the Origin header. Tokens solve
both problems.
Sandro
More information about the cap-talk
mailing list