In other words, addresses whose target is the same forįor convenience, we additionally define the following terms:Ī local address is an IP address whose IP address space is local. Words, addresses whose target differs based on network position. In other words, addresses whose target differs for everyĪddresses that have meaning only within the current network. IP Address SpaceĮvery IP address belongs to an IP address space, which can be one Location: The navigation will proceed normally, but won’t beĬonsidered CORS-same-origin with the response. GET /short-links-are-short-after-shortening HTTP/1.1 Support cross-origin requests as being CORS-same-origin: // Request: Navigation doesn’t require CORS headers, and they don’t actually want to MegaCorp’s shortlink engineers are careful to avoid this potential failureīy returning CORS headers only for the preflight. They’re more or less resigned to the fact that will leak, but would be sad indeed if the target Will allow external folks to read the location of any redirect that the MegaCorp’s leak-prevention department is worried, though, that this access In order to ensure that employees can continue to navigate such links asĮxpected, MegaCorp chooses to allow private network requests: HTTP/1.1 200 OKĪccess-Control-Allow-Private-Network: true How considerate!Ĭlicking links from will trigger a CORS-preflight request, as it is a request from a publicĪddress to a private address: OPTIONS /short-links-are-short-after-shortening HTTP/1.1 Hosted at a public address in order to ensure that employees can workĮven when they’re not at the office. Its employees often email such links to each other. runs an internal link shortening service at and This will cause the preflight to fail, and the actual GET will never be issued.
If it does understand OPTIONS, it can neglect to include an Access-Control-Allow-Private-Network header in its This will cause the preflight to fail, and the actual GET will never If it doesn’t understand OPTIONS at all, it can return a 50X error.
The router will receive this OPTIONS request, and has a number of possible HTTP/1.1Īccess-Control-Request-Private-Network: true Since csrf.attack resolved to a public address, the request will trigger a CORS-preflight request: OPTIONS /set_dns?. Multicast DNS, and the user agent will note it as private. Router.local will be resolved to the router’s address via the magic of Generate a CORS-preflight request, which the router ignores. Greatly mitigates the scope of the vulnerability, as malicious requests will Public internet, and didn’t take any special effort to enable them. Happily, MegaCorp Inc’s routers don’t have any interest in requests from the Their DNS settings to be altered by navigating to and passing in various GET MegaCorp Inc’s routers have a fairly serious CSRF vulnerability which allows Or worse, this is becoming a common deployment mechanism for all manner ofĪpplications, and often assumes protections that simply don’t exist (see and for recent examples).
#Sandisk secure access private and public software
Software running a web interface on a user’s loopback address. No preflight is triggered, and theĪttacker doesn’t actually care about reading the response, as the request
Note that status quoĬORS protections don’t protect against the kinds of attacks discussed hereĪs they rely only on CORS-safelisted methods and CORS-safelisted request-headers. For example, we wish to mitigate attacks on: The overarching goal is to prevent the user agent from inadvertantly enablingĪttacks on devices running on a user’s local intranet, or services running on Require internal devices to explicitly opt-in to requests from the public Here, we propose a mitigation against these kinds of attacks that would Number of malicious behaviors, including attacks on users' routers like thoseĭocumented in (and, more recenly, and ). Internet can make requests to internal devices and servers, which enable a Much progress at segregating the one from the other. "public" internet addresses for over a decade, user agents haven’t made