JEP 183: HTTP Cross-Origin Resource Sharing

[David M. Lloyd]

On 04/11/2013 04:23 PM, mark.reinhold at oracle.com wrote:
> Posted: http://openjdk.java.net/jeps/183

I have a few comments/random thoughts about this.  It says:

> Security: Will need to be reviewed carefully since this feature does relax the network security model in two ways:
>
> No explicit network permission will be required for certain (simple) cross-origin HTTP requests, as defined by CORS.
>
> Permissions for other (non simple) requests will be delegated to the server hosting the target resource.

I think this makes a lot of assumptions about the running code and its 
security environment (in particular it seems to target applets and JWS).

Generally speaking, I think that the model of relaxing client security 
permissions based on a server resource is quite dangerous, in particular 
outside of an applet/JWS environment.  I think a different model should 
be looked at that does not involve (effectively) granting HTTP 
connection privileges based on the server (at least, not always), but 
instead requires that the permissions already be granted; it would be 
more secure to use a separate client context which tracks what resources 
the server has granted access to, while still enforcing the full set of 
client permissions at all times.

In this case it is the server that should be mistrusted, not the client, 
since the server is the party which is potentially granting permissions. 
  If you grant an HTTP access permission to a server, you are implicitly 
giving that server the ability to grant the running code any other HTTP 
access permission they want.

One thought is that applets/JWS could adopt the Java EE 7 
permissions.xml model.  This would be a convenient mechanism to give an 
application access to more than its original permission set, and it 
would still be possible to authorize the additional permissions with the 
user before the program is run.

Thanks for listening.
-- 
- DML