Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Appcache allows bypassing of Access-Control-Allow-Credentials #1427

Closed
jakearchibald opened this issue Jun 15, 2016 · 8 comments
Closed

Appcache allows bypassing of Access-Control-Allow-Credentials #1427

jakearchibald opened this issue Jun 15, 2016 · 8 comments
Labels
security/privacy There are security or privacy implications topic: appcache

Comments

@jakearchibald
Copy link
Contributor

Demo: https://github.com/jakearchibald/appcache-credentials

Appcache allows you to bypass CORS checks on pages that:

  • are served with Access-Control-Allow-Origin: *
  • contain sensitive data when fetched with credentials

Without appcache, developers can add Access-Control-Allow-Origin: * to all resources available on the public internet, even if the data is sensitive with credentials (Vary: Cookie must be used if the resource is cachable). If the resource is fetched with credentials the CORS check will fail because Access-Control-Allow-Credentials is absent and Access-Control-Allow-Origin is not the requesting origin.

Appcache caches everything with credentials and no-cors, and it serves items from its cache regardless of credentials or mode. This allows an attacker to cache a response requested with credentials, and later retrieve it using a no-credentials fetch, which only requires Access-Control-Allow-Origin: * to allow JS to access the content.

@jakearchibald
Copy link
Contributor Author

Possible solutions

Remove appcache

Many existing sites lose offline functionality, but continue to work online unless lack of appcache APIs triggers JS errors.

Concede that ACAO: * cannot be blanketly used

Developers must only use Access-Control-Allow-Origin: * on resources that never display private data, with credentials or not. This may slow down CORS adoption.

Change appcache to cache using CORS

This could be seen as a step towards deprecation. However, this may prevent a large number of sites updating, leaving users stuck on older versions if CORS headers aren't added.

Change appcache to cache without credentials

I'm not sure how many sites this would break. Credentials could be used for same-origin resources.

Change appcache to cache each resource twice, with & without credentials

Then appcache could serve one of the two depending on the credential mode of the request. This should be backwards compatible, but doubles the bandwidth & storage requirements of appcache.

@annevk
Copy link
Member

annevk commented Jun 20, 2016

I think the last one is the way to go. That's also how the HTTP cache is supposed to behave (though we haven't defined that in detail yet, see whatwg/fetch#307).

Not sure we have to cache each resource twice, but we should add a flag as to whether it was cached with credentials or without and reply as appropriate.

@jakearchibald
Copy link
Contributor Author

Not sure we have to cache each resource twice

I guess we could make the fetches "same-origin" when it comes to credentials, but it's difficult to judge how much content we'll break by doing that.

@annevk
Copy link
Member

annevk commented Jun 20, 2016

I think the main thing we have to do is that if we do "no-cors" + "include" from the AppCache manifest, we don't use those for XHR "cors" + "same-origin".

@jakearchibald
Copy link
Contributor Author

Does that mean appcache will fail for hosted fonts (as they require CORS)?

@annevk
Copy link
Member

annevk commented Jun 20, 2016

Yeah, I guess it would. I guess it would require the alternative strategy of caching everything twice...

@domenic domenic added the security/privacy There are security or privacy implications label Jun 20, 2016
@annevk
Copy link
Member

annevk commented Jul 8, 2016

@annevk
Copy link
Member

annevk commented Nov 17, 2020

Let's fold this into #151.

@annevk annevk closed this as completed Nov 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security/privacy There are security or privacy implications topic: appcache
Development

No branches or pull requests

3 participants