Jonas Sicking wrote:
Hi All,
So I have some feedback to this proposal. I think Hixie might have
missunderstood me and while I agreed to him publishing it, it's
definitely not _from_ me.
So there are a couple of pretty big security concerns that I have with
this proposal.
1.
It introduces ordering issues. Consider the following setup; A server
contains two resources, /dir/A and /dir/B, and returns the following
replies to OPTIONS requests:
/dir/
Access-Control:allow <*> method POST
Method-Check-Policy-Path: /dir/
Method-Check-Max-Age:3600
/dir/A
Access-Control:allow <*> method POST
Method-Check-Policy-Path: /dir/
Method-Check-Max-Age:3600
/dir/B
Access-Control:deny <*> method POST
Method-Check-Max-Age:3600
If a UA now accesses resource A it would do OPTIONS requests to /dir/A
and then /dir/ and result in "allow <*> method POST" being cached as the
policy for all resources under /dir/.
If the UA then tries to do a POST to resource B this would be performed
without any OPTIONS requests. I.e. the POST to B would be successful.
However if the UA first tries to do a POST to resource B, the UA would
first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B
would be unsuccessful.
Note that this isn't a problem with 'deny' rules. The exact same problem
is there if OPTIONS requests to /dir/B doesn't return any AC headers at
all. Just wanted the example to be more specific.
/ Jonas
