Mandate Access-Control-Allow Origin: * for files available in public to allow browser based clients

[bernhardreiter]

If a server is serving CSAF 2.0 related files to the public it MUST set the HTTP-Header Access-Control-Allow-Origin: * to allow web browser based clients.

This header setting allows "cross origin resource-sharing" (CORS), so that an application within a browser from a third party domain can access the CSAF information (like security.txt, provider-medata.json, ROLIE files and csaf documents itself).

Without this header for example a single page application cannot access the contents of the files of a CSAF Provider. See the following code example, which you can run in a web browser with javascript enabled (save it as testcors.html and open it with the browser).

<!DOCTYPE html>
<html lang="en">
<body>
  <h1>JSON Data Fetched From URL</h1>
  <div id="data"></div>

  <script type="text/javascript">
    // Replace this URL with the actual URL of the JSON file you want to fetch
    var url = 'https://wid.cert-bund.de/.well-known/csaf/provider-metadata.json';
    //var url = 'https://jsonplaceholder.typicode.com/todos/1';

    async function getData() {
        try {
            const response = await fetch(url);
            // variant showing that we indeed get no response with `no-cors`
            //const response = await fetch(url, { mode: 'no-cors' });
            const data = await response.json();

            let ul = document.createElement("ul");
            for (let key in data) {
                let li = document.createElement('li');
                li.textContent = `${key}: ${data[key]}`;
                ul.appendChild(li);
            }
            document.getElementById('data').appendChild(ul);
        } catch (error) {
            console.log(`Error fetching data: ${error}`);
        }
    }

    getData();
  </script>
</body>
</html>

You will not see any contents. If you comment out the WID url and use the one from a testing json file, it can be seen that the contents is displayed. A look into the development tools and the network requests shows that a respective header is given.

References:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[sthagen]

During the 2023-09-27 meeting of the TC the members considered the inclusion of the proposed addition to the CSAF v2.1 standard.

If a server is serving CSAF 2.0 related files to the public it MUST set the HTTP-Header Access-Control-Allow-Origin: * to allow web browser based clients.

The TC decided to not include the proposal in CSAF v2.1, instead label it as v2.x and maybe come back to the proposal later.

[bernhardreiter]

@sthagen thanks for the note.

Additional information:
In my understanding from the MDN documentation setting the header using the * directive is a safe choice, because browsers will only allow the resource sharing for requests without credentials.

To cite from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives :

For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error.