[websec] Call for Consensus: CORS to Candidate Recommendation

"Hill, Brad" <bhill@paypal-inc.com> Thu, 15 November 2012 22:31 UTC

Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 30B1921F87A7 for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:31:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id YDt7clp3RqLO for <websec@ietfa.amsl.com>; Thu, 15 Nov 2012 14:31:32 -0800 (PST)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com []) by ietfa.amsl.com (Postfix) with ESMTP id 408B321F869B for <websec@ietf.org>; Thu, 15 Nov 2012 14:31:25 -0800 (PST)
DomainKey-Signature: s=paypalcorp; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Thread-Topic:Thread-Index:Date:Message-ID:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: x-originating-ip:Content-Type:MIME-Version:X-CFilter; b=Oh3CadZmnwRpOxhOPXQP1mOa0j/l1jF3SfFPUyw9q47qXotS4HWcON4v 1ua6/GsgCz74Y7nylqgRVPOIPtTtVZbWs4pXl9aeks8cL2fQcny0BgMFU oCYTXMMg8M0WXvbPf4WKEhIz8zhabN0Q0bpYhSfhLSSpDKnu7tWAqDw8T I=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=paypalcorp; t=1353018692; x=1384554692; h=from:to:cc:subject:date:message-id:mime-version; bh=LG64fgXztXdUyHLsYLwMLk0z4e39/kbC92YXYxJUWZw=; b=FQ9/bX8X8e/xFAUbR0BS43GRDK/gKuBCWnN4IE06hJdCoJp7l7lwCS/l l5StWiP3rRucwUvMdn/gbTlwGqXG5JV2vo5ubvw+AiGdqbCfhaKtkVgzL I9Cz5vPXu1lWdJ3lSO4t7GtqfvTJSeQsX76I1T9Evrozxdb8pWGWpQyBy U=;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos; i="4.83,259,1352102400"; d="scan'208,217"; a="11347099"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-EXMHT-005.corp.ebay.com) ([]) by den-mipot-002.corp.ebay.com with ESMTP; 15 Nov 2012 14:31:25 -0800
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-005.corp.ebay.com ([fe80::8109:2a37:17ad:e57e%18]) with mapi id 14.02.0318.004; Thu, 15 Nov 2012 15:31:25 -0700
From: "Hill, Brad" <bhill@paypal-inc.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, "WebApps WG (public-webapps@w3.org)" <public-webapps@w3.org>
Thread-Topic: Call for Consensus: CORS to Candidate Recommendation
Thread-Index: Ac3DgPIpzwoP6yy6TYu+ZSd08/k7Pg==
Date: Thu, 15 Nov 2012 22:31:24 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9@DEN-EXDDA-S12.corp.ebay.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_370C9BEB4DD6154FA963E2F79ADC6F2E2ED5A9DENEXDDAS12corpeb_"
MIME-Version: 1.0
X-CFilter: Scanned
Cc: "Anne van Kesteren (annevk@annevk.nl)" <annevk@annevk.nl>, "public-web-security@w3.org" <public-web-security@w3.org>, "websec@ietf.org" <websec@ietf.org>
Subject: [websec] Call for Consensus: CORS to Candidate Recommendation
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 22:31:35 -0000

WebApps and WebAppSec WG members, (and copied security interest groups who we invite to provide comments)

Following discussion at TPAC, I've resolved outstanding changes in the security considerations section agreed to by WebAppSec as well as differences between the W3C and WHATWG versions of CORS, and believe we are ready to go to Candidate Recommendation.  We probably have enough implementations to proceed directly to Proposed Recommendation, but our test suite still needs better documentation of its coverage and some test cases need repairs, so I believe moving to CR first, and as soon as possible, is the right next step, while we work out those details.

I have placed a draft for review at:


And this is a Call for Consensus among the WebAppSec and WebApps WGs to take this particular text (with necessary additions to the Status of this Document section if approved) forward to Candidate Recommendation.

Please send comments to public-webappsec@w3.org<mailto:public-webappsec@w3.org> , positive feedback is encouraged.

This CfC will end on November 23, 2012.

Substantive changes from the last published version (both pulled from the WHATWG version) include:

1.        updating the redirect status codes to include the newly defined 308

2.       adding the referrer source header as input to the fetch algorithm

Non-substantive changes include:

1.       Clarified text defining 5.1, Access-Control-Origin allow header to read: the value of the Origin request header, "*", or "null"

2.       Updated "certificates differ" reason for algorithm abort to "certificate errors"

3.       Replaced "ambient authority" with "user credentials sent with cross-origin requests"

4.       Replaced a number of instances of "server" with more consistent usage of "resource"

5.       Updated language slightly about OWS in header value definitions in HTTP/1.1 spec

6.       Removed reference in security considerations to Origin header as a credential, as it is explicitly defined as not being a credential

7.       Deleted paragraph in security considerations section on forwarding attacks as on further consideration it is not a genuine concern

8.       Removed language about validating data in the security considerations section comparing CORS to JSONP

9.       Removed "safe and idempotent" language in security considerations and replaced with "significance other than retrieval"

10.   Changed "implicit" credentials language to "user credentials automatically attached to the request by the user agent"

11.   Updated language in security considerations on path-distinguished application principals vs. origin-distinguished principals

12.   Merged updated thanks and acknowledgements from WHATWG version

13.   Removed language about multiple origins in security considerations as that is now forbidden by the redirect steps

14.   Added a non-normative "Implementation Considerations" as Section 6.4 under the Resource Processing Model with the following text:

"Resources that wish to enable themselves to be shared with multiple
  <code>Origins</code> but do not respond uniformly with <code>"*"</code>
  must in practice generate the <code>Access-Control-Allow-Origin</code>
  header dynamically in response to every request they wish
  to allow.  As a consequence, authors of such resources should send a
  <code>Vary: Origin</code> HTTP header or provide other appropriate control
  directives to prevent caching of such responses, which may be inaccurate
  if re-used across-origins."

Thank you,

Brad Hill
WebAppSec WG Co-Chair