CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday,...
Transcript of CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday,...
![Page 1: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/1.jpg)
CORS Background
Tuesday, November 3, 2009
![Page 2: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/2.jpg)
Cookies: Login
(A) Login Page
Server A
BrowserLogin Page Request
Login Page Response
Server A
Login Form Submission(contains username, password)
(A) Login Success Response with ‘Set-Cookie’ header
SessionEstablished
Tuesday, November 3, 2009
![Page 3: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/3.jpg)
Cookies: Buying Stuff
(A) Purchase Page
Server A
BrowserPurchase Page Request(with Cookie header)
Purchase Page Response
Server A
Purchase Form Submission(with Cookie header)
(A) Purchase Success
Purchase Success Response
PurchaseTakes Place!
Tuesday, November 3, 2009
![Page 4: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/4.jpg)
Cookies: CSRF
(M) Malware Page
BrowserMalware Page Request
Server A
Purchase Form Submission(with Cookie header)
(A) Purchase Success
Purchase Success Response
PurchaseTakes Place!
Server M
OOPS!
Tuesday, November 3, 2009
![Page 5: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/5.jpg)
Can’t Easily Avoid
Tuesday, November 3, 2009
![Page 6: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/6.jpg)
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
Tuesday, November 3, 2009
![Page 7: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/7.jpg)
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
• Origin
Tuesday, November 3, 2009
![Page 8: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/8.jpg)
Can’t Easily Avoid
• Need second factor to tell if submission actually came from Site A
• Origin
• Secret token (embedded in form)
Tuesday, November 3, 2009
![Page 9: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/9.jpg)
CSRF: Origin Defense
(M) Malware Page
BrowserMalware Page Request
Server A
Purchase Form Submission(with Cookie + Origin: M)
(A) Purchase Failed
Purchase Failure Response
No Purchase!
Server M
Tuesday, November 3, 2009
![Page 10: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/10.jpg)
CORS Scenario
• I want to let Site A (an upcoming events side) add calendar events to Site B (my calendar)
Tuesday, November 3, 2009
![Page 11: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/11.jpg)
Requirements
Tuesday, November 3, 2009
![Page 12: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/12.jpg)
Requirements
• Grant permission just once
Tuesday, November 3, 2009
![Page 13: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/13.jpg)
Requirements
• Grant permission just once
• No manual steps to copy data between sites
Tuesday, November 3, 2009
![Page 14: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/14.jpg)
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
Tuesday, November 3, 2009
![Page 15: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/15.jpg)
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
• No server-to-server communication
Tuesday, November 3, 2009
![Page 16: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/16.jpg)
Requirements
• Grant permission just once
• No manual steps to copy data between sites
• “AJAX” UI (avoid full page loads)
• No server-to-server communication
• No need for prior bilateral arrangement between A and B, just published API
Tuesday, November 3, 2009
![Page 17: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/17.jpg)
CORS: Login
(A) Login Page
Server A
BrowserLogin Page Request
Login Page Response
Server A
Login Form Submission(contains username, password)
(A) Login Success Response with ‘Set-Cookie’ header
SessionEstablished
Tuesday, November 3, 2009
![Page 18: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/18.jpg)
CORS: Access Grant
(A) Grant Page
Server A
BrowserGrant Page Request(includes Cookie)
Login Page Response
Server A
Grant Request, user picked Site B(includes Cookie)
(A) Grant Success Success Response
SessionEstablished
Tuesday, November 3, 2009
![Page 19: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/19.jpg)
CORS: Request
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
XHR to add calendar item(carries Cookie for A, Origin: B)
XHR Response indicating success
Calendar EventAdded
Tuesday, November 3, 2009
![Page 20: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/20.jpg)
No Confused Deputy
Tuesday, November 3, 2009
![Page 21: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/21.jpg)
No Confused Deputy
• Server M can’t forge Origin in the browser
Tuesday, November 3, 2009
![Page 22: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/22.jpg)
No Confused Deputy
• Server M can’t forge Origin in the browser
• Server M can’t send session cookie for A outside the browser
Tuesday, November 3, 2009
![Page 23: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/23.jpg)
No Confused Deputy
• Server M can’t forge Origin in the browser
• Server M can’t send session cookie for A outside the browser
• Combination of Origin and Cookie soundly identifies combination of user and site
Tuesday, November 3, 2009
![Page 24: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/24.jpg)
Fancier ScenariosCan Have CD
Tuesday, November 3, 2009
![Page 25: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/25.jpg)
Fancier ScenariosCan Have CD
• Site A asking Site B to do something on Site C
Tuesday, November 3, 2009
![Page 26: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/26.jpg)
Fancier ScenariosCan Have CD
• Site A asking Site B to do something on Site C
• Can also have Confused Deputy without CORS - for example poorly implemented secret tokens
Tuesday, November 3, 2009
![Page 27: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/27.jpg)
How to Avoid Confused Deputy
Tuesday, November 3, 2009
![Page 28: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/28.jpg)
How to Avoid Confused Deputy
• Don’t be a deputy!
Tuesday, November 3, 2009
![Page 29: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/29.jpg)
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
Tuesday, November 3, 2009
![Page 30: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/30.jpg)
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
• If you must...
Tuesday, November 3, 2009
![Page 31: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/31.jpg)
How to Avoid Confused Deputy
• Don’t be a deputy!
• Never ask one server to do something on behalf of another.
• If you must...
• Guarantee that requests on behalf of a third party look different from your own
Tuesday, November 3, 2009
![Page 32: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/32.jpg)
The Bad Way
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
XHR to add calendar item(carries Site A user, pw)
XHR Response indicating success
Calendar EventAdded
User Gives Site B
their Site A credentials
OOPS!
Server B
Server B
Server B logs in to Server A as
user(!)
Tuesday, November 3, 2009
![Page 33: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/33.jpg)
Non-CORS Solutions
Tuesday, November 3, 2009
![Page 34: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/34.jpg)
Non-CORS Solutions
• For example, OAuth
Tuesday, November 3, 2009
![Page 35: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/35.jpg)
Non-CORS Solutions
• For example, OAuth
• Generally require server-to-server communication
Tuesday, November 3, 2009
![Page 36: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/36.jpg)
Non-CORS Solutions
• For example, OAuth
• Generally require server-to-server communication
• Relies on bilateral agreement (shared secret)
Tuesday, November 3, 2009
![Page 37: CORS Background · Success Response with ‘Set-Cookie’ header Session Established Tuesday, November 3, 2009. Cookies: Buying Stuff (A) Purchase Page Server A Browser Purchase Page](https://reader034.fdocuments.us/reader034/viewer/2022051910/5fff4936d39bd733b55c42cb/html5/thumbnails/37.jpg)
OAuth
(B) Event Page
Server B
BrowserEvent Page Request
Event Page Response
Server A
Ask For Request Token(signed w/ shared secret)
Server B Request Token
Redirect to Request Authorization Token(includes Cookie, A’s Request Token)
Server A
Redirect Back with Auth Token
(B) Event Page
(auth’d)
Server B
Server A
XHR to add calendar item(incl Auth Token)
Request to add calendar item(incl Auth Token)
Server B
Calendar EventAdded
SuccessSuccess
There is an error in this diagram, the process of exchanging a Request Token for an Authorization Token is oversimplified!
Tuesday, November 3, 2009