Hacker News new | ask | show | jobs
by captainmuon 3331 days ago
It would be easy to make sending credentials opt-in in a new HTTP or HTML version. The way it's done now is backwards IMHO.

Define httpsb:// do be like https://, but any site may make ajax and similar requests to it (without credentials). Then make some kind of exception (like csrf protection), or use legacy https, in case you need to send cookies.
2 comments
0x0 3331 days ago
But an attacker would simply use <script src="https://..", instead of <script src="httpsb://.." ?
link
MereInterest 3331 days ago
Only if that is supported by the site being attacked. If the site only accepts httpsb connections, then the attacker would not have a way in.
link
hdhzy 3331 days ago
If the site accepts httpsb it can as well support the Origin header [0] and the problem is solved.

[0]: https://wiki.mozilla.org/Security/Origin

link
kuschku 3330 days ago
The whole point is to allow any site to access any other site, just like plain TCP sockets, without stealing your cookies.

If the site wants to access google.com with its own cookies, fine, why not?

link
hdhzy 3330 days ago
Could you elaborate on the "stealing your cookies" part?

Cookies are sent only to the origin that set them and (except XSS attacks) are not revealed to anyone else. So who exactly is stealing them?

link
kuschku 3330 days ago
Well, currently, nothing. But currently, the web is completely broken.

If you want web-applications to be powerful, and open, you also need to be able to have any web application to access any URL.

Why should only mail.google.com be able to access my emails, and not also my-little-opensource-webmail.com ?

To faciliate that, without also adding cookie stealing back in, you need to allow any website to open standard TCP sockets.

link
homakov 3331 days ago
I proposed a header instead of a protocol btw

https://medium.com/@homakov/request-for-a-new-header-state-o...

link
hdhzy 3331 days ago
Sounds good but I suspect it will meet the same fate as XHTML 2: designed to be clean and perfect but in reality it would take to much effort to implement and maintain.

From your professional experience you can probably tell people would rather have slightly insecure site that works and gives profits rather than broken one because SOTA started including some new feature you didn't know...

People would rather enable these individual headers one by one and see their effect. In h2 headers are compressed so it's not a big deal (besides looking ugly).

link
homakov 3326 days ago
> SOTA started including some new feature you didn't know

if you sign for 2 versions, changes in 3 would not brake you. and the point is MANY things right now could be safe to turn on for 99.99%, e.g. XFO. So, not much effort

link