Re: [thredds] [opendap-tech] A request for server developers

Hi Gerry,

Yes, if the data are indeed sensitive (in which case they are presumably 
currently behind a login access?) then there will be issues as I acknowledged.  
But if the data are already public (i.e. freely accessible via OPeNDAP with no 
login required) then do you think there is an issue?

Cheers,
Jon

From: Gerry Creager - NOAA Affiliate [mailto:gerry.creager@xxxxxxxx]
Sent: 25 April 2013 16:01
To: Jon Blower
Cc: thredds@xxxxxxxxxxxxxxxx
Subject: Re: [thredds] [opendap-tech] A request for server developers

Jon -- A big concern from our point of view (note: some mental gemnastics may 
be involved in following this) is that a site accessed from another "trusted" 
site via cross-origin credentials, may serve sensitive data to an unprivileged 
user. That constitutes a data breach and as such, tends to cause alarms to go 
off around here. Speaking as someone who just endured over 2 months of 
bureaucratic wrangling to gain access to a "restricted" dataset, if the work to 
get those data got worse because someone had made this same set publicly 
accessible, even inadvertently, it would start approaching "useless" within my 
organization.

Benno -- tell me you don't expect Microsoft to conform to a standard they don't 
either own, or have claimed to own?

gerry

On Thu, Apr 25, 2013 at 9:46 AM, Jon Blower 
<j.d.blower@xxxxxxxxxxxxx<mailto:j.d.blower@xxxxxxxxxxxxx>> wrote:
Hi all,

An honest (and perhaps innocent) question - if a server is already public and 
read-only, what is there to lose by enabling CORS?  The cross-origin security 
constraints exist for the security of the client (browser), not the server.  
You could after all be accessing the server through something that isn't a 
browser at all.

However, if a server requires logins, and/or allows changes to the server to be 
made through the web interface, then CORS is perhaps more of an issue (most of 
the examples in the website Dennis quotes are around these use cases).

>From that same website, the risk of allowing CORS for a public read-only site 
>appears to be that an attacker could use users' web browsers to perform a 
>distributed denial-of-service attack, which is surely already possible anyway 
>(and is why many sysadmins implement throttling or some other strategy).

Cheers,
Jon
(not a security expert or a sysadmin!)

_______________________________________________
thredds mailing list
thredds@xxxxxxxxxxxxxxxx<mailto:thredds@xxxxxxxxxxxxxxxx>
For list information or to unsubscribe,  visit: 
http://www.unidata.ucar.edu/mailing_lists/



--
Gerry Creager
NSSL/CIMMS
405.325.6371
++++++++++++++++++++++
"Big whorls have little whorls,
That feed on their velocity;
And little whorls have lesser whorls,
And so on to viscosity."
Lewis Fry Richardson (1881-1953)
  • 2013 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: