undefined | Better HN

0 pointsoplav6y ago0 comments

That's what CORS is for, but it appears that there is no CORS for WebSockets.

0 comments

8 comments · 4 top-level

souterrain6y ago· 4 in thread

CORS is not in the hands of the user. I don’t want a CORS policy authorizing access to my intranet or localhost.

CORS is set by the target, so localhost CORS policy is directly in the hands of the user. intranet CORS policy is set by whoever operates that intranet service

souterrain6y ago

You’re right; a bit of a brain fail there for me.

Still, doesn’t mitigate attacks against non-HTTP speakers.

1 more reply

oplavOP6y ago

If the user decides to run a service on their intranet or localhost with a wide open CORS policy, isn't that their choice?

Forgoing CORS and making all inter domain requests user opt-in would make the web experience a lot worse, IMO. Making all intranet or localhost requests user opt-in seems less disruptive.

souterrain6y ago

However, TCP sockets can't publish CORS policies.

In the case of scanning, a CORS denial can still reveal information about the user's internal network, as a CORS denial is a different result than a network timeout or a TCP RST.

xg156y ago

WS does have its own way of cross-domain opt-in. I think it users slightly different headers than CORS for historical reasons but effective does the same.

That a script is able to gather information about an origin that did not it in seems like a serious bug to me.

johncolanduoni6y ago

This is because websockets were created after the same origin policy, so they have always sent the origin header that allows the server to filter connections. CORS was only needed because the browsers were adding the same origin policy to HTTP requests that had historically never had it, so they needed some set of rules (and overrides for them) that didn’t break existing websites.

gfxgirl6y ago

CORS has nothing to help with here. The site doing the scanning is not able to make connections. Rather it's only able to tell if the port is listening or not. CORS would still be listening so they'd get the same info they're getting now.

j / k navigate · click thread line to collapse

0 comments

8 comments · 4 top-level

souterrain6y ago· 4 in thread

CORS is not in the hands of the user. I don’t want a CORS policy authorizing access to my intranet or localhost.

kevingadd6y ago

CORS is set by the target, so localhost CORS policy is directly in the hands of the user. intranet CORS policy is set by whoever operates that intranet service

souterrain6y ago

You’re right; a bit of a brain fail there for me.

Still, doesn’t mitigate attacks against non-HTTP speakers.

1 more reply

oplavOP6y ago

If the user decides to run a service on their intranet or localhost with a wide open CORS policy, isn't that their choice?

Forgoing CORS and making all inter domain requests user opt-in would make the web experience a lot worse, IMO. Making all intranet or localhost requests user opt-in seems less disruptive.

souterrain6y ago

However, TCP sockets can't publish CORS policies.

In the case of scanning, a CORS denial can still reveal information about the user's internal network, as a CORS denial is a different result than a network timeout or a TCP RST.

xg156y ago

WS does have its own way of cross-domain opt-in. I think it users slightly different headers than CORS for historical reasons but effective does the same.

That a script is able to gather information about an origin that did not it in seems like a serious bug to me.

johncolanduoni6y ago

gfxgirl6y ago

j / k navigate · click thread line to collapse