Add new Access-Control-Suppress-Headers CORS response header #253
Comments
|
I could see this as a complimentary header to AC-Expose-Headers that takes precedence in case of conflict. I'm not sure we should make them mutually exclusive. That way you can have a server-wide policy of suppressing certain debug headers, while individual resources can expose what they think is relevant and you don't have to worry about individual resources leaking too much (unless hey include the information elsewhere, but then you're already done for). |
|
Can you provide an example of when you wouldn't want a certain header to be exposed? But you still want to send that header to the client? I.e. if there are certain headers that you know you don't want the client to see, why send them at all? |
|
Hey Jonas, That's a good question! I don't have a good example, because I don't think there is one. This is In short, AC-Expose-headers is a whitelisting mechanism - it defines which At least, that's my thinking. |
|
Before Access-Control-Expose-Headers was added no headers except "safe" headers ( Without an actual use case I don't think we should attempt to resolve this issue as filed. |
|
Here is where the feature was added to Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=597301#c13 |
|
Indeed, see https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name for the safelist (the names listed in expose are an modification to that safelist). |
|
@sicking, so prior to AC-Expose-Headers, no headers were exposed except for the ones on the safelist? And then when AC-Expose-Headers was added, we had the ability to specify additional specific headers to expose? I agree with the original idea that not exposing any non-safe headers is too restrictive. The problem as I see it, is that without allowing either of the following:
or
then we are still hobbled by the fact that developers need to update their CORS setup every time they add a new header to an API response which might need to be accessed by client-side code. I know this doesn't seem like a big deal, but in my experience working with development teams, there can be a huge disconnect between the back-end developers, front-end developers and whoever is in charge of the web server. I think that Access-Control-Suppress-Headers would be a simpler, and safer solution - allowing a team to specify the following:
would be a one-time change that would allow development teams to add new response headers on an ongoing basis, without needing to update the Access-Control-Expose-Headers value each time. It's also clearer to both ends what is being done - specific headers are being suppressed. This would change the spec to be as follows (addition of the line at the end): A CORS-safelisted response-header name, given a header list list, is a header name that is one of:
Originally I said that I thought that Access-Control-Expose-Headers and Access-Control-Suppress-Headers should be mutually exclusive, but on further consideration, it makes sense if Access-Control-Suppress-Headers overrides Access-Control-Expose-Headers. In other words, if the response includes the following:
then the CORS-safelisted response-header names for the request would be:
So there would be no error if both Access-Control-Suppress-Headers and Access-Control-Expose-Headers are specified, although typically only one of them would be specified. |
|
I agree that You still have not provided a use case for The whole design philosophy behind CORS is that server-side developers should not be required to have perfect understanding of all the code that is running on your webserver but still allow them to expose data that they want to expose to 3rd parties. So even on a server where you might be handling sensitive user data, or where you might have scripts that do sensitive transactions on the server, you can white-list certain URLs and let those send and receive data. And you can do that without having to perfectly audit the rest of the URL-handling scripts on the server. But say that the server-side developer know that some URLs serves some data that should be shared with 3rd parties, and some data that should not be shared with 3rd parties. In that case, simply stop sharing the data that should not be shared with third parties before you opt in to CORS for that URL. It seems silly to at that point opt in to CORS but knowingly keep sending the data that should not be shared, and send a header saying "I know i'm sending this data, but please don't share it with the website". Simply stop sending the data instead. Or, to put it another way. If you can't perfectly audit what data you are sending in which headers, use |
|
@sicking, OK, here's a use-case for Access-Control-Suppress-Headers. You A developer has multiple endpoints (API's) on the same server. Each API So we have something like this:
If we only allow Access-Control-Expose-Headers, then the generation of that
However, if we are able to simply specify this:
then this can be done in the load-balancer or CDN, by someone with only Additionally, if a new header, x-header4 is being added to any of the Essentially, if we make security simpler to implement, then more people I think the problem here is that server-side developers are not a single Note: I have updated my disclosure at the bottom of the original post. |
|
@sicking, in fact, the two header options lend themselves well to working together. The following code could be used (as before, implemented in many possible places 'up the chain' between the backend code and the browser - generic init code, Apache config, load-balancer, CDN, whatever):
Browsers would treat this to mean that all headers (except for |
|
Yes, I think the use-case is contrived. Doesn't feel common enough to add specific features for. It's even more contrived when you consider the fact that it's only useful for requests that include credentials which is a minority use case in and of itself. It's also supported through multiple other means:
And yes, I understand that |
|
@sicking, yes, I thought you'd say that :) I don't want to beat a dead horse here, but: With all due respect to yourself, Anne, Craig (and any others who have been involved in the 3 issues I have raised recently as well as the development of the CORS standard), I am concerned that you have been lucky enough to have had experiences (within the 'pure tech' world of browser development) that are more 'limited' than mine. My experience is the opposite - I think it's actually pretty common to have the sort of setup that I described - in fact, it's taken from real life. I'm saying this from many years working with customers in the retail, manufacturing and financial segments, as well as developing software myself. Obviously my experiences may not mirror the wider 'web community' and I hesitate to extrapolate too far, but I'm explicitly not coming from the pure tech side. I' have seen different teams develop different areas of the application(s), which are then updated over the years by other teams. Documentation is minimal (if existent at all). Most people understand their own language/team/tool (and may be excellent at it!), but may not have much understanding of the wider scope of things. For instance, they can put together a great Java application to retrieve data from the backend and build a JSON response, but they don't know about more than the basics, since some other software will actually deal with sending that data to the browser. Additionally, my experience (again!) is that most requests are made with credentials - basically, to pass/retrieve cookies. For instance, retail sites (amongst many others) use lots of cookies, and often need to include them with every request. If in doubt, developers will set I agree however, that there are multiple ways round this. I just thought that this was simpler for the end user to understand and implement. Finally, why do you say that this is this only an issue for requests that include credentials? |
|
For requests without credentials, any header can easily be read by simply using a non-browser HTTP client. I.e. I can use wget to make any URL from any server, using any method and any headers that I want. And I can read the full response including all response headers. The only thing I can't do, is make that request with your cookies. |
|
@sicking, the agreement for It still seems sensible to have something like |
|
In this comment I said I'm fine with adding I don't think we should add All of these other ways seems more security-wise sound and have the advantage that they work on existing browsers. |
|
@sicking, maybe I'm confused, but surely I can use cURL to make a cross-domain GET request passing/receiving cookies (also passing the requisite CORS headers and responding appropriately to the preflight OPTIONS request/response)? In that case, wouldn't I be able to see any GET response headers, regardless of what value might be returned in Access-Control-Expose-Headers? At any rate, I'd prefer to allow |
|
@roryhewitt you can't do that with someone else their cookies. I recommend studying https://annevankesteren.nl/2015/02/same-origin-policy. I agree with @sicking that a big concern with exclude would be that it's not backwards compatible. Therefore, it's probably best not to add this. #252 exists for expanding expose, so closing this. |
Conversely, it allows those developers to footgun themselves by adding a new sensitive header and forgetting to update the AC-Suppress-H list. If your application needs the data you'll quickly figure it out if you forget to update ACEH; forgetting to update ACSH leads to a security vulnerability. A long and painful history teaches us that forgetting is likely either way. We strongly lean towards causing work for developers versus trouble for everyone. |
As an alternative/supplement to the existing Access-Control-Expose-Headers CORS response header, could we have a new header, as defined below:
Access-Control-Suppress-Headers = "Access-Control-Suppress-Headers" ":" #field-name
Access-Control-Suppress-Headers and Access-Control-Expose-Headers are mutually exclusive. If both headers are returned in response to a CORS preflight OPTIONS request, all non-simple headers are suppressed (not exposed).
Otherwise, if Access-Control-Suppress-Headers is returned (in response to a CORS preflight OPTIONS request), the list of exposed headers must be updated to include all simple response headers and any headers other than those of which the field name is an ASCII case-insensitive match for one of the values of the Access-Control-Suppress-Headers headers (if any), before exposing response headers to APIs defined in CORS API specifications.
Therefore, even if the Access-Control-Suppress-Headers includes a simple header, that header will still be exposed - the Access-Control-Suppress-Headers value applies only to non-simple headers.
Essentially, where Access-Control-Expose-Headers whitelists response headers (disallow all except those specified), Access-Control-Suppress-Headers blacklists response headers (allow all except those specified).
Why do I want this?
As often as not, when developers use the Access-Control-Expose-Headers, what they really want is to ensure that certain headers are not available to client-side code - effectively, they have to list all the allowed headers. If the backend code changes and new headers are added, the code which sets the Access-Control-Expose-Headers value must also be updated. By allowing those developers to explicitly define which headers should be hidden from client-side code, it gives them the ability to not worry about having to explicitly add new headers to the Access-Control-Expose-Headers 'list'.
Where CDN's and load balancers are brought into the mix, this also makes it easier for them, since this is another place where the CORS preflight OPTIONS request (including the Access-Control-Expose-Headers response header) may be handled, so simplifying here would be useful.
(Full disclosure: I work for Akamai, a large CDN. My views do not represent any official Akamai position. That being said, implementing this might make our (and out customer's) lives easier. I have also implemented CORS solutions using an F5 LTM load balancer, and run into this problem).
The text was updated successfully, but these errors were encountered: