Add CORS section #13
Add CORS section #13
Conversation
|
👍 (nicely done so far!) |
RubenVerborgh
force-pushed
the
feature/cors
branch
from
3727652
to
183b7c5
Compare
RubenVerborgh
requested review from
csarven,
dmitrizagidulin,
justinwb,
kjetilk and
michielbdejong
|
👍 |
|
@RubenVerborgh This is looking all around great so fine to merge (pending remaining minor edits). We'll surely revisit as we go. There is one thing that we should consider whether to expand on or not (perhaps as a Note): While credentials and Origin shouldn't be relied upon, there are potholes that need to be navigated around. Should we insist on ACAO * and no credentials? And/or if ACAO echos the Origin, clients should request with Cache-Control no-store (minding the caveats that come with it)? |
We're already insisting on not using
I know you've looked into this, but I would first need to see a reproducible example to make sure that this is indeed a fully functional workaround (and if it is, whether we cannot tweak it into a better solution).
Thanks for the reviews, all. @csarven If you could top off with an approval, would be nice. |
|
looks great!
is there a link about that somewhere?
Is there a link somewhere explaining how Also, I don't understand why an app would send credentials other than the |
|
Thanks @michielbdejong!
Yes; these are all part of the normative FETCH reference preceding them.
That would also be the FETCH reference. I've checked it there, and it does not seem affected. (There is no
On the one hand, this is a matter of spec orthogonality. Just in case there are cookies (for anything, not limited to auth), they should be supported. The CORS section does not mandate if and how authentication happens; could be with cookies, could be without. Also, they are just an example; the bottom line is that no request/response should be blocked at the browser level. On the other hand, WebID-OIDC needs cookies for a crucial step in the authentication process, so we do have a concrete case for it already. |
|
Four approvals, none against. Obviously, it needs more work, but I assume we're go on merging this? |
|
Thanks to @csarven, @dmitrizagidulin, @justinwb, @kjetilk, @michielbdejong, @pmcb55 for feedback!
Merging seems currently blocked by solid/process#95; I will inquire about the status. |
not sure I agree, because then i think they would be shared across apps if the user happens to have them open in the same browser session? For instance, if a UI like the data browser or a control panel on the pod's domain sets a cookie, then a third-party web app would do an XHR request and be allowed to do its request with that cookie from the on-pod UI? |
That is correct. And our assertion in this document is that this MUST NOT be prevented by the browser. So we purposely do not rely not on browser security mechanisms. However, the server is free to block cookies from third-party origins itself.
Cookies will never "leak"; |
|
i see how it's consistent with the "don't rely on cors" narrative, and i also see how the hole may still be stopped at the next layer.
I think that's at least unconventional and possibly also bad practice. so we should make sure we instruct server implementers about how to replace the security measures they are removing there. i think it would look like a bug to any security auditor if you allow third-party web apps to send http requests with the cookie of an on-pod UI. could you at least add a note to implementers saying that allowing |
|
btw i do agree about the not-relying-on-browsers for the rest of it, just not for the cookies thing that's mentioned right at the end of the text. |
Unconventional, yes, but by design (and without it, no Solid in browsers).
Yes, agreed. Note that there already is a statement saying that data pods MUST NOT rely on cross-origin protections (such as those against cookies), but it is indeed better to say this explicitly.
Good point. Since that solution is perhaps too implementation-specific, I added that untrusted cookies MUST be ignored in 0f4d5dc. Thanks! |
RubenVerborgh
added
category: editorial
Closes #12.