[cap-talk] CORS and GIFAR attacks
Adam Barth
cap-talk at adambarth.com
Wed Oct 7 13:18:37 EDT 2009
On Wed, Oct 7, 2009 at 10:03 AM, Toby Murray <tobycmurray at googlemail.com> wrote:
> Having just looked again at the CORS document ([1] in my original message),
> I see that nowhere does it mention CSRF. That said, the exact nature of the
> purpose of CORS still eludes me. It certainly seems to be talked about in
> the context of protecting against cross-site attacks, see e.g.
> http://www.theregister.co.uk/2009/10/03/mozilla_web_20_solution/
That article seems to be about CSP, not CORS. CSP is Content security
policies and is explained here:
https://wiki.mozilla.org/Security/CSP/Spec
> Am I confusing CORS with the "Origin" header proposal?
> http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html
>
> If so, is there something I should look at to learn the difference between
> them? Do you know which of these The Register article above is referring to?
CORS is a protocol that uses the Origin header. The Origin header is
specified here:
http://tools.ietf.org/html/draft-abarth-origin
> I'm inclined to take the latter view (problem with the web security model).
As suspected as much. :)
> Can I ask whether you agree with my position above that this is a problem
> with the web security model in general?
One unfortunate consequence of the web security model is that
cross-site script (XSS) exists. XSS is a much bigger problem than
GIFAR, which is just one kind of XSS vulnerability.
> If so, is this fundamental problem something you believe is worth
> addressing? If so, what sorts of solutions appear promising?
I think it's a fine problem worth working on. I don't expect to work
on it myself any time soon. The challenge in working on that problem
is that it's difficult to evaluate whether your design is better or
worse than the current design. Most of the justifications on this
list and in the literature are based on story-telling and not on
reproducible experiments. Can you propose an experiment we could
conduct to decide which approach is better?
> If not, is it that there are more fundamental problems with the web that you
> believe are worth addressing, or would you say that we get better bang for
> our security buck by focusing on problems (or solutions) that don't require
> an entire rethink of the web security model in order to remedy (or
> implement)?
As researchers, we don't need to worry exclusively about the bottom
line. I think it's fine to research things that are not
cost-effective in the short term.
Adam
More information about the cap-talk
mailing list