search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
150 stars 40 forks source link

Mandate `Access-Control-Allow Origin: *` for files available in public to allow browser based clients #653

Open bernhardreiter opened 1 year ago

bernhardreiter commented 1 year ago

If a server is serving CSAF 2.0 related files to the public it MUST set the HTTP-Header Access-Control-Allow-Origin: * to allow web browser based clients.

This header setting allows "cross origin resource-sharing" (CORS), so that an application within a browser from a third party domain can access the CSAF information (like security.txt, provider-medata.json, ROLIE files and csaf documents itself).

Without this header for example a single page application cannot access the contents of the files of a CSAF Provider. See the following code example, which you can run in a web browser with javascript enabled (save it as testcors.html and open it with the browser).

<!DOCTYPE html>
<html lang="en">
<body>
  <h1>JSON Data Fetched From URL</h1>
  <div id="data"></div>

  <script type="text/javascript">
    // Replace this URL with the actual URL of the JSON file you want to fetch
    var url = 'https://wid.cert-bund.de/.well-known/csaf/provider-metadata.json';
    //var url = 'https://jsonplaceholder.typicode.com/todos/1';

    async function getData() {
        try {
            const response = await fetch(url);
            // variant showing that we indeed get no response with `no-cors`
            //const response = await fetch(url, { mode: 'no-cors' });
            const data = await response.json();

            let ul = document.createElement("ul");
            for (let key in data) {
                let li = document.createElement('li');
                li.textContent = `${key}: ${data[key]}`;
                ul.appendChild(li);
            }
            document.getElementById('data').appendChild(ul);
        } catch (error) {
            console.log(`Error fetching data: ${error}`);
        }
    }

    getData();
  </script>
</body>
</html>

You will not see any contents. If you comment out the WID url and use the one from a testing json file, it can be seen that the contents is displayed. A look into the development tools and the network requests shows that a respective header is given.

References:

sthagen commented 1 year ago

During the 2023-09-27 meeting of the TC the members considered the inclusion of the proposed addition to the CSAF v2.1 standard.

If a server is serving CSAF 2.0 related files to the public it MUST set the HTTP-Header Access-Control-Allow-Origin: * to allow web browser based clients.

The TC decided to not include the proposal in CSAF v2.1, instead label it as v2.x and maybe come back to the proposal later.

bernhardreiter commented 1 year ago

@sthagen thanks for the note.

Additional information: In my understanding from the MDN documentation *setting the header using the `` directive is a safe choice**, because browsers will only allow the resource sharing for requests without credentials.

To cite from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#directives :

For requests without credentials, the literal value "*" can be specified as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials results in an error.

bernhardreiter commented 3 weeks ago

Even if not included in CSAF 2.1, a recommendation could be mentioned in the FAQ either or CDNs or in a seperate entry.