CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with crehdentials is omit
Reported by
dbarr...@wikimedia.org,
Aug 14
|
|||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
Steps to reproduce the problem:
Make a cross-origin request with
XMLHttpRequest.withCredentials = false;
or with:
fetch('https://example.com', {credentials: 'omit'});
What is the expected behavior?
The error should not have been thrown.
What went wrong?
Receive a Cross-Origin Resource Sharing (CORS) error.
Did this work before? No
Does this work in other browsers? N/A
Chrome version: 68.0.3440.84 Channel: stable
OS Version: OS X 10.12.6
Flash Version:
Native apps are able to make a cross-origin, credential-less requests without the need of the CORS header. Web Apps should have the ability to make credential-less requests cross-origin without requiring the origin to state that the request is allowed. Credential-less requests pose no threat to the requesting server.
Without this feature, it is more likely that a server-administrator will unknowingly add `Access-Control-Allow-Origin: *` to ALL requests (even credentialed requests), thereby creating a security vulnerability where there wasn't one before. The browser should do all of this for everyone and there isn't a good reason why it shouldn't.
,
Aug 15
I recommend closing this as INVALID as it'd break the same-origin policy. (See also https://github.com/whatwg/fetch/issues/787.)
,
Aug 15
I guess I'm saying that the same-origin policy needs to be changed.
,
Aug 15
why is it that credential-less cross-origin requests are subject to the same-origin policy anyways?
,
Aug 15
Perhaps a compromise would be to create a permission to do this? Allow the user to opt-into credential-less cross-domain requests?
,
Aug 15
,
Aug 15
The way this feature is currently implemented, it makes not only makes the browser responsible for protecting open-access intranet sites, but it also makes every single site owner responsible for correctly implementing CORS in order to protect these few unknown open-access intranet sites. And if they do not correctly implement CORS, then they sacrifice their own security and the security of their users.
,
Aug 15
I think anne's comments in the fetch repo issue cover this sufficiently. Tossing in the direction of mkwst in case there's more worth adding here. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dbarr...@wikimedia.org
, Aug 14