Hi,
I'm a Spring Framework committer and I'm working on Spring's SockJS implementation with my colleagues; I had some questions to the group.
Looking at the protocol specification [1] and existing implementations [2], it seems that for CORS-related browser requests, the SockJS implementation:
* either sends a "Access-Control-Allow-Origin"="*" HTTP response header
* or sends a "Access-Control-Allow-Origin"="[request origin]" response header, echoing back the request's origin header value to the client
In both cases, SockJS allows requests from any domain, even if the request comes from a third party domain (i.e. has "
evil.com" as an Origin, while the SockJS server application is hosted on "
example.org").
My questions are:
1) Why are we always sending CORS headers?
2) In our SockJS protocol server implementation, we plan to *not* send an "Access-Control-Allow-Origin" response header to the client, thus enforcing a same origin policy as a default behavior. What do you think?
3) Without further configuration by the developer, isn't a "same origin policy" a sane default?
4) Protocol tests/specs and implementations is sending those CORS headers; is this part of the SockJS protocol required behavior? A convenient default configuration to make it work out of the box in a cross-domain context? Or just a test artifact for the protocol to be tested in various setups? I find this a bit misleading, if not a security issue.
5) In our implementation, we plan to allow developers to explitely configure other origins; those values will be sent in CORS headers. Do other implementations already do this? Is there some common pattern on this SockJS implementations should follow?
When using the iframe transport, the current SockJS protocol spec does not mention the X-Frame-Options not Content-Security-Policy HTTP headers; they are often used to prevent clickjacking issues.
Questions:
6) Should those headers be sent along iframe HTTP responses, defaulting to a same origin policy? Or not sending them is enough?
7) When explictely configuring other authorized origins, should those headers values be the same as configured CORS authorized origins (see question #5)?
Thanks,
--
Brian Clozel