[tombakt]

No, a preflight (OPTIONS) request is sent by the browser first prior to sending the request initiated by the application. I would be surprised if it is possible for the client browser to control this OPTIONS request more than just the URL. I am curious if anyone else has any input on this topic though.

Maybe there is some side-channel timing that can be used to determine the existence of a device, but not so sure about actually crafting and delivering a malicious payload.

[varenc]

This tag:

    <img src="http://192.168.1.1/router?reboot=1">

triggers a local network GET request without any CORS involvement.

[grrowl]

I remember back in the day you could embed <img src="http://someothersite.com/forum/ucp.php?mode=logout"> in your forum signature and screw with everyone's sessions across the web

[lobsterthief]

Haha I remember that. The solution at the time for many forum admins was to simply state that anyone found to be doing that would be permabanned. Which was enough to make it stop completely, at least for the forums that I moderated. Different times indeed.

[sedatk]

Or you could just make the logout route POST-only. Problem solved.

[anthk]

<img src="C:\con\con"></img>

[jbverschoor]

It's essentially the same, as many apps use HTTP server + html client instead of something native or with another IPC.

[lyu07282]

Exactly you can also trigger forms for POST or DELETE etc. this is called CSRF if the endpoint doesn't validate some token in the request. CORS only protects against unauthorized xhr requests. All decades old OWASP basics really.

[formerly_proven]

That highly ranked comments on HN (an audience with way above average-engineer interest in software and security) get this wrong kinda explains why these things keep being an issue.

[mrguyorama]

I'm betting HN is vastly more normal people and manager types than people want to admit.

None of us had to pass a security test to post here. There's no filter. That makes it pretty likely that HN's community is exactly as shitty as the rest of the internet's.

People need to stop treating this community like some club of enlightened elites. It's hilariously sad and self-congratulatory.

[lyu07282]

I don't know why you are getting downvoted, you do have a point. Some of the comments appear knowing what CORS headers are, but neither their purpose nor how it relates to CSRF it seems, which is worrying. It's not meant as disparaging. My university thought a course on OWASP thankfully, otherwise I'll probably also be oblivious.

[_cenw]

If you're going cross-domain with XHR, I'd hope you're mostly sending json request bodies and not forms.

Though to be fair, a lot of web frameworks have methods to bind named inputs that allow either.

[bawolff]

This misses the point a bit. CSRF usually applies to people who want only same domain requests and dont realize that cross domain is an option for the attacker.

In the modern web its much less of an issue due to samesite cookies being default .

[bawolff]

> Exactly you can also trigger forms for POST or DELETE etc

You cant do a DELETE from a form. You have to use ajax. If cross DELETE needs preflight.

To nitpick, CSRF is not the ability to use forms per se, but relying solely on the existence of a cookie to authorize actions with side effects.

[buildfocus]

This expectation is that this should not work - well behaved network devices shouldn't accept a blind GET like this for destructive operations. Plenty of other good reasons for that. No real alternative unless you're also going to block page redirects & links to these URLs as well, which also trigger a similar GET. That would make it impossible to access any local network page without typing it manually.

While it clearly isn't a hard guarantee, in practice it does seem to generally work as these have been known issues without apparent massive exploits for decades. That CORS restrictions block probing (no response provided) does help makes this all significantly more difficult.

[oasisbob]

"No true Scotsman allows GETs with side effects" is not a strong argument

It's not just HTTP where this is a problem. There are enough http-ish protocols where protocol smuggling confusion is a risk. It's possible to send chimeric HTTP requests at devices which then interpret them as a protocol other than http.

[bawolff]

Yes, which is why web browsers way back even in the netscape navigator era had a blacklist of ports that are disallowed.

[LegionMammal978]

The idea is, the malicious actor would use a 'simple request' that doesn't need a preflight (basically, a GET or POST request with form data or plain text), and manage to construct a payload that exploits the target device. But I have yet to see a realistic example of such a payload (the paper I read about the idea only vaguely pointed at the existence of polyglot payloads).

[MajesticHobo2]

There doesn't need to be any kind of "polyglot payload". Local network services and devices that accept only simple HTTP requests are extremely common. The request will go through and alter state, etc.; you just won't be able to read the response from the browser.

[EGreg]

Exactly. People who are answering must not have been aware of “simple” requests not requiring preflight.

[Sophira]

I can give an example of this; I found such a vulnerability a few years ago now in an application I use regularly.

The target application in this case was trying to validate incoming POST requests by checking that the incoming MIME type was "application/json". Normally, you can't make unauthorized XHR requests with this MIME type as CORS will send a preflight.

However, because of the way it was checking for this (checking if the Content-Type header contained the text "application/json"), It was relatively easy to construct a new Content-Type header that bypasses CORS:

Content-Type: multipart/form-data; boundary=application/json

It's worth bearing in mind in this case that the payload doesn't actually have to be form data - the application was expecting JSON, after all! As long as the web server doesn't do its own data validation (which it didn't in this case), we can just pass JSON as normal.

This was particularly bad because the application allowed arbitrary code execution via this endpoint! It was fixed, but in my opinion, something like that should never have been exposed to the network in the first place.

[apitman]

This is a great example; thanks.

[freeone3000]

Oh, you can only send arbitrary text or form submissions. That’s SO MUCH.

[tomrod]

Correct.

[mirashii]

You don't even need to be exploiting the target device, you might just be leaking data over that connection.

https://news.ycombinator.com/item?id=44169115

[notpushkin]

Yeah, I think this is the reason this proposal is getting more traction again.

[kbolino]

Here's a formal definition of such simple requests, which may be more expansive than one might expect: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...

[chuckadams]

Some devices don't bother to limit the size of the GET, which can enable a DOS attack at least, a buffer overflow at worst. But I think the most typical vector is a form-data POST, which isn't CSRF-protected because "it's on localhost so it's safe, right?"

I've been that sloppy with dev servers too. Usually not listening on port 80 but that's hardly Ft Knox.

[drexlspivey]

It can send a json-rpc request to your bitcoin node and empty your wallet

[LegionMammal978]

Do you know of any such node that doesn't check the Content-Type of requests and also has no authentication?

[drexlspivey]

Bitcoin Core if you disable authentication

[LegionMammal978]

There's no such thing, short of forking it yourself. You can set the username and password to admin:admin if you want, but Bitcoin Core's JSON-RPC server requires an Authorization header on every request [0], and you can't put an Authorization header on a cross-origin request without a preflight.

[0] https://github.com/bitcoin/bitcoin/blob/v29.0/src/httprpc.cp...

[drexlspivey]

Good to know, I remember you used to be able to disable it via config but looks like I was wrong

[bawolff]

I think that is because it is so old that its basically old news and mostly mitigated.

https://www.kb.cert.org/vuls/id/476267 is an article from 2001 on it.

[rafram]

You’re forgetting { mode: 'no-cors' }, which makes the response opaque (no way to read the data) but completely bypasses the CORS preflight request and header checks.

[jonchurch_]

This is missing important context. You are correct that preflight will be skipped, but there are further restrictions when operating in this mode. They don't guarantee your server is safe, but it does force operation under a “safer” subset of verbs and header fields.

The browser will restrict the headers and methods of requests that can be sent in no-cors mode. (silent censoring in the case of headers, more specifically)

Anything besides GET, HEAD, POST will result in an error in browser, and not be sent.

All headers will be dropped besides the CORS safelisted headers [0]

And Content-Type must be one of urlencoded, form-data, or text-plain. Attempting to use anything else will see the header replaced by text-plain.

[0] https://developer.mozilla.org/en-US/docs/Glossary/CORS-safel...

[rafram]

That’s just not that big of a restriction. Anecdotally, very few JSON APIs I’ve worked with have bothered to check the request Content-Type. (“Minimal” web frameworks without built-in security middleware have been very harmful in this respect.) People don’t know about this attack vector and don’t design their backends to prevent it.

[jonchurch_]

I agree that it is not a robust safety net. But in the instance you’re citing, thats a misconfigured server.

What framework allows you to setup a misconfigured parser out of the box?

I dont mean that as a challenge, but as a server framework maintainer Im genuinely curious. In express we would definitely allow people to opt into this, but you have to explicitly make the choice to go and configure body-parser.json to accept all content types via a noop function for type checking.

Meaning, its hard to get into this state!

Edit to add: there are myriad ways to misconfigure a webserver to make it insecure without realizing. But IMO that is the point of using a server framework! To make it less likely devs will footgun via sane defaults that prevent these scenarios unless someone really wants to make a different choice.

[rafram]

SvelteKit for sure, and any other JS framework that uses the built-in Request class (which doesn’t check the Content-Type when you call json()).

I don’t know the exact frameworks, but I consume a lot of random undocumented backend APIs (web scraper work) and 95% of the time they’re fine with JSON requests with Content-Type: text/plain.

[afavour]

I think you’re making those restrictions out to be bigger than they are.

Does no-cors allow a nefarious company to send a POST request to a local server, running in an app, containing whatever arbitrary data they’d like? Yes, it does. When you control the server side the inability to set custom headers etc doesn’t really matter.

[jonchurch_]

My intent isnt to convince people this is a safe mode, but to share knowledge in the hope someone learns something new today.

I didnt mean it to come across that way. The spec does what the spec does, we should all be aware of it so we can make informed decisions.

[chuckadams]

Thankfully no-cors also restricts most headers, including setting content-type to anything but the built-in form types. So while CSRF doesn't even need a click because of no-cors, it's still not possible to do csrf with a json-only api. Just be sure the server is actually set up to restrict the content type -- most frameworks will "helpfully" accept and convert form-data by default.

[bawolff]

> No, a preflight (OPTIONS) request is sent by the browser first prior to sending the request initiated by the application.

Note: preflight is not required for any type of request that browser js was capable of making prior to CORS being introduced. (Except for local network)

So a simple GET or POST does not require OPTIONS, but if you set a header it might require OPTIONS (unless its a header you could set in the pre-cors world)

[thayne]

It depends. GET requests are assumed not to have side effects, so often don't have a preflight request (although there are cases where it does). But of course, not all sites follow those semantics, and it wouldn't surprise me if printer or router firmware used GETs to do something dangerous.

Also, form submission famously doesn't require CORS.

[layer8]

There is a limited, but potentially effective, attack surface via URL parameters.

[rerdavies]

I can confirm that local websites that don't implement CORS via the OPTIONS request cannot be browsed with mainstream browsers. Does nothing to prevent non-browser applications running on the local network from accessing your website.

As far as I can tell, the only thing this proposal does that CORS does not already do is provide some level of enterprise configuration control to guard against the scenario where your users are using compromised internet sites that can ping around your internal network for agents running on compromised desktops. Maybe? I don't get it.

If somebody would fix the "no https for local connections" issue, then IoT websites could use authenticated logins to fix both problems. Non-https websites also have no access to browser crypto APIs so roll-your-own auth (the horror) isn't an option either. Fustrating!

[dgoldstein0]

I don't believe this is true? As others have pointed out, preflight options requests only happen for non simple requests. Cors response headers are still required to read a cross domain response, but that is still a huge window for a malicious site to try to send side effectful requests to your local network devices that have some badly implemented web server running.

[rerdavies]

[edit]: I was wrong. Just tested that a moment ago. It turns out NOT to be true. My web server during normal operation is current NOT getting OPTIONS requests at all.

Wondering whether I triggered CORS requests when I was struggling with IPv6 problems. Or maybe it triggers when I redirect index.html requests from IPv6 to IPv4 addresses. Or maybe I got caught by the earlier roll out of version one of this propposal? There was definitely a time while I was developing pipedal when none of my images displayed because my web server wasn't doing CORS. But. Whatever my excuse might be, I was wrong. :-/