Talk:Test Cross Origin Resource Sharing (OTG-CLIENT-007) - Revision history

Collin Sauve at 20:37, 25 February 2019

2019-02-25T20:37:01Z

Collin Sauve at 20:34, 25 February 2019

2019-02-25T20:34:35Z

Collin Sauve at 20:34, 25 February 2019

2019-02-25T20:34:25Z

Collin Sauve at 20:33, 25 February 2019

2019-02-25T20:33:27Z

Collin Sauve: Created page with "I've removed the bad "Gray Box" examples as they are BOTH bad: Example 1 is not an example of an inherently insecure request. Allowing all origins is perfectly fine UNLESS yo..."

2019-02-25T20:33:16Z

Created page with "I've removed the bad "Gray Box" examples as they are BOTH bad: Example 1 is not an example of an inherently insecure request. Allowing all origins is perfectly fine UNLESS yo..."

New page

I've removed the bad "Gray Box" examples as they are BOTH bad:
Example 1 is not an example of an inherently insecure request. Allowing all origins is perfectly fine UNLESS you also allow credentials. If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.

Example 2 is an XSS problem. The only that that CORS could do here is CORS headers on the ATTACKER'S site could mitigate that, which is outside of your control. Just a terrible, terrible example of CORS misconfigurations since the "misconfiguration" is on the attackers site. Amazing that this example made it into this wiki in the first place.
[[User:Collin Sauve|Collin Sauve]] ([[User talk:Collin Sauve|talk]]) 14:33, 25 February 2019 (CST)

@@ Line 1: / Line 1: @@
 I've removed the bad "Gray Box" examples as they are BOTH bad:
-* Example 1 is not an example of an inherently insecure request.  Allowing all origins is perfectly fine unless you also allow credentials.   If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.
+* Example 1 is not an example of an inherently insecure request.  Allowing all origins is perfectly fine unless you also allow credentials and the server authenticates using those credentials.   If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.  As an example an API that authenticates using Bearer Auth does not have any need to concern itself with cross-origin calls since the possession of the bearer token is what matters.
 * Example 2 is an XSS problem.  The only thing that that CORS could do here is CORS headers on the '''attacker's''' site could mitigate that, which is outside of your control.  Just a terrible, terrible example of CORS misconfigurations since the alleged misconfiguration is on the attacker's site.  Amazing that this example made it into this wiki in the first place.
 [[User:Collin Sauve|Collin Sauve]] ([[User talk:Collin Sauve|talk]]) 14:33, 25 February 2019 (CST)

@@ Line 3: / Line 3: @@
 * Example 1 is not an example of an inherently insecure request.  Allowing all origins is perfectly fine unless you also allow credentials.   If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.
-* Example 2 is an XSS problem.  The only that that CORS could do here is CORS headers on the '''attacker's''' site could mitigate that, which is outside of your control.  Just a terrible, terrible example of CORS misconfigurations since the alleged misconfiguration is on the attacker's site.  Amazing that this example made it into this wiki in the first place.
+* Example 2 is an XSS problem.  The only thing that that CORS could do here is CORS headers on the '''attacker's''' site could mitigate that, which is outside of your control.  Just a terrible, terrible example of CORS misconfigurations since the alleged misconfiguration is on the attacker's site.  Amazing that this example made it into this wiki in the first place.
 [[User:Collin Sauve|Collin Sauve]] ([[User talk:Collin Sauve|talk]]) 14:33, 25 February 2019 (CST)

@@ Line 1: / Line 1: @@
 I've removed the bad "Gray Box" examples as they are BOTH bad:
-* Example 1 is not an example of an inherently insecure request.  Allowing all origins is perfectly fine UNLESS you also allow credentials.   If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.
+* Example 1 is not an example of an inherently insecure request.  Allowing all origins is perfectly fine unless you also allow credentials.   If anyone wants to claim that it is insecure you'll need to justify your reasoning here not just assert it.
-* Example 2 is an XSS problem.  The only that that CORS could do here is CORS headers on the ATTACKER'S site could mitigate that, which is outside of your control.  Just a terrible, terrible example of CORS misconfigurations since the "misconfiguration" is on the attackers site.  Amazing that this example made it into this wiki in the first place.
+* Example 2 is an XSS problem.  The only that that CORS could do here is CORS headers on the '''attacker's''' site could mitigate that, which is outside of your control.  Just a terrible, terrible example of CORS misconfigurations since the alleged misconfiguration is on the attacker's site.  Amazing that this example made it into this wiki in the first place.
 [[User:Collin Sauve|Collin Sauve]] ([[User talk:Collin Sauve|talk]]) 14:33, 25 February 2019 (CST)