Closed Bug 1483250 Opened 6 years ago Closed 6 years ago

CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit or same-origin

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: david, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231

Steps to reproduce:

Make a cross-origin request with
XMLHttpRequest.withCredentials = false;
or with:
fetch('https://example.com', {credentials: 'omit'});


Actual results:

Receive a Cross-Origin Resource Sharing (CORS) error.


Expected results:

The error should not have been thrown. Native apps are able to make a cross-origin, credential-less requests without the need of the CORS header. Web Apps should have the ability to make credential-less requests cross-origin without requiring the origin to state that the request is allowed. Credential-less requests pose no threat to the requesting server. 

Without this feature, it is more likely that a server-administrator will unknowingly add `Access-Control-Allow-Origin: *` to ALL requests (even credentialed requests), thereby creating a security vulnerability where there wasn't one before. The browser should do all of this for everyone and there isn't a good reason why it shouldn't.
Summary: CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with crehdentials is omit → CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit
Summary: CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit → CORS should not be enforced on cross-origin requests where XMLHttpRequest.withCredentials is false or fetch with credentials is omit or same-origin
This would break the same-origin policy.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
I guess I'm saying that the same-origin policy needs to be changed.
why is it that credential-less cross-origin requests are subject to the same-origin policy anyways?
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Reopening based on the discussion in https://github.com/whatwg/fetch/issues/787
The way this feature is currently implemented, it makes not only makes the browser responsible for protecting open-access intranet sites, but it also makes every single site owner responsible for correctly implementing CORS in order to protect these few unknown open-access intranet sites. And if they do not correctly implement CORS, then they sacrifice their own security and the security of their users.
Set component.
Component: Untriaged → DOM
Product: Firefox → Core
"Access-Control-Allow-Origin: *" is designed to be safe for any server exposed to the public internet; see https://annevankesteren.nl/2012/12/cors-101 .  It's the marker that a site is opting in to those things that are safe if the site isn't behind a firewall.  Such sites should use it.

But we're not going to weaken the same-origin policy to put large amounts of behind-firewall content at risk, from content at large companies to the administrative UI of many home modems and wifi access points.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.