[theora] <video/> and cross site scripting policy.

Jonas Sicking jonas at sicking.cc
Fri Nov 7 19:21:39 PST 2008

Jonas Sicking wrote:
> == Enabling Access-Control means that private data is leaked!
> I also wanted to correct some misunderstandings in how Access-Control 
> works. It would be 100% safe for a bank site on the internet to put a 
> video on their server and send 'Access-Control-Allow-Origin:*' for their 
> whole site.
> Access-Control has two "modes": public and private. When in public mode 
> the browser won't send any cookies or authorization headers, or add 
> anything else to the request that identifies the user. So it knows that 
> whatever its getting is something that anyone could get using wget. With 
> the exception for things living on firewalled intranets.
> When Access-Control is in private mode it does send cookies and auth 
> headers as normal. However, it requires that the site adds the header 
> 'Access-Control-Allow-Credentials:true' to the response, otherwise 
> access to the returned data will be denied. Additionally, in private 
> mode the '*' value for Access-Control-Allow-Origin is not allowed to 
> protect against bad caching in proxies.
> So if a bank on the internet adds 'Access-Control-Allow-Origin:*' to all 
> responses, this will never allow user-private bank statements to be read 
> by other sites.
> In other words, deployment of Access-Control for public data is safe for 
> all servers on the internet. You do not need to separate your private 
> data from your public data.
> It is a bit trickier for intranet sites. This is unfortunate, and the 
> current version of Access-Control doesn't solve this in an ideal way.

Oh, there was one thing that I forgot to mention regarding Access-Control.

There was concern expressed regarding the "Origin" header getting 
stripped, like the "Referer" [sic] header often is today.

This is somewhat less likely to happen than for Referer. The reason 
Referer often is stripped is that it can contain actual private data. 
For example if the page 
"http://intranet.yahoo.com/hostile-takeovers/google.html" contains a 
link to the google homepage, the whole URI of that page would be sent to 
the google servers.

This is more than a theoretical problem. Especially query parameters can 
contain sensitive information. In the case of a page that is the result 
of a form submission the URI can contain whole messages that are then 
leaked through the "Referer" header if the user clicks anywhere on the 
result-page of the submission.

Additionally, in the case of public data it doesn't matter that the 
"Origin" header is stripped. If i'm placing a public video on my site 
and want to enable sharing I'll just add "Access-Control-Allow-Origin:*" 
to the resources I want to share (possibly the whole server through a 
global configuration). This header will be sent back to the browser 
which will grant permission, no matter if the server received the 
"Origin" header or if it was stripped by a proxy.

/ Jonas

More information about the theora mailing list