On 8/26/2013 6:27 PM, Matt Basta wrote: > It should be noted that CORSing without discretion can render CSRF > protection completely useless.
"Without discretion" is echoing back whatever you find in the Origin: header and adding "Access-Control-Allow-Credentials: true" indiscriminately. Access-Control-Allow-Origin: * is a special case that cannot be combined with Access-Control-Allow-Credentials--browsers will ignore the allow-credentials even if your site adds it. Attack sites can still make all the "simple" (GET, POST) requests that were possible before CORS was invented so if your site has a CSRF problem under those circumstances then you have no CSRF protection at all. With a "*" response a foreign site isn't allowed to read the responses or make non-simple requests unless they had explicitly dropped credentials. > If your site adds the Access-Control-Allow-Credentials header, > malicious sites can detect whether a user is logged in, Attackers can generally tell whether users are logged in with or without CORS via timing attacks. > For APIs, though, this generally isn't an issue (and who uses cookies > with their API anyway?) https://wiki.mozilla.org/Bugzilla:REST_API for one. -Dan Veditz
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
