Jon Ferraiolo wrote:
----------------
When making a _cross-site access request_
<http://www.w3.org/TR/access-control/#cross-site-access-request> user
agents /should/ ensure to:
o ...
o Not to expose any trusted data, such as cookies, HTTP header
data, inappropriately
----------------
I worry that the language can be mis-interpreted or misunderstood. What
seems "inappropriate" to you might be different than what something else
thinks. My opinion (shared with other OpenAjax members) is that we would
like to see language that is simpler and more direct, such as "cookies
SHOULD NOT be sent with cross-site requests". I haven't studied the
specification from an editorial perspective all that clearly, but maybe
something like this would work:
----------------
When making a _cross-site access request_
<http://www.w3.org/TR/access-control/#cross-site-access-request> user
agents:
...
* SHOULD NOT transmit cookies or HTTP header data
----------------
I don't think this is what the spec means to say, nor do I think that it
should.
Why is sending cookies along with the cross-site request a security
problem? As long as you are sending the cookies for the third-party site
things should be fine. I.e. if server A makes a cross-site request to
server B, the request should include the cookies appropriate for server
B (but none of the cookies related to server A).
It is already easy to make a GET request to a third-party server which
includes the cookies for the third-party server, so if that has any
side-effects you are already in trouble.
If it does not have side-effects to do so, I don't see the harm in doing
that for cross-site access requests.
Can you describe the attack you are worried about?
The reason we'd want to include cookies for cross-site access requests
is that many servers use cookies to authenticate the user, before even
running the user code used to generate the page. If we didn't send
cookies it would be significantly harder to support cross-site requests
on such servers.
/ Jonas
