Closed
Bug 1483250
Opened 6 years ago
Closed 6 years ago
CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit or same-origin
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: david, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180807170231 Steps to reproduce: Make a cross-origin request with XMLHttpRequest.withCredentials = false; or with: fetch('https://example.com', {credentials: 'omit'}); Actual results: Receive a Cross-Origin Resource Sharing (CORS) error. Expected results: The error should not have been thrown. Native apps are able to make a cross-origin, credential-less requests without the need of the CORS header. Web Apps should have the ability to make credential-less requests cross-origin without requiring the origin to state that the request is allowed. Credential-less requests pose no threat to the requesting server. Without this feature, it is more likely that a server-administrator will unknowingly add `Access-Control-Allow-Origin: *` to ALL requests (even credentialed requests), thereby creating a security vulnerability where there wasn't one before. The browser should do all of this for everyone and there isn't a good reason why it shouldn't.
Summary: CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with crehdentials is omit → CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit
Summary: CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit → CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit or same-origin
Comment 1•6 years ago
|
||
This would break the same-origin policy.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
I guess I'm saying that the same-origin policy needs to be changed.
why is it that credential-less cross-origin requests are subject to the same-origin policy anyways?
Reopening based on the discussion in https://github.com/whatwg/fetch/issues/787
The way this feature is currently implemented, it makes not only makes the browser responsible for protecting open-access intranet sites, but it also makes every single site owner responsible for correctly implementing CORS in order to protect these few unknown open-access intranet sites. And if they do not correctly implement CORS, then they sacrifice their own security and the security of their users.
"Access-Control-Allow-Origin: *" is designed to be safe for any server exposed to the public internet; see https://annevankesteren.nl/2012/12/cors-101 . It's the marker that a site is opting in to those things that are safe if the site isn't behind a firewall. Such sites should use it. But we're not going to weaken the same-origin policy to put large amounts of behind-firewall content at risk, from content at large companies to the administrative UI of many home modems and wifi access points.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → WONTFIX
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•