From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 23 Nov 2017 21:57:53 +0100 Subject: [refpolicy] CORS web vulnerability Message-ID: <1511470673.10065.12.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com To whom it may concern. The so-called Cross-Origin Resource Sharing (CORS) web functionality can constitute a very serious vulnerability in terms of both security and privacy: the risks might not outweigh the benefits. Most recent web browsers implement such functionality but unfortunately do not offer a way of disabling it in order to gain maximum security and privacy benfits while browsing the web. SELinux policy, to the best of my knowledge, cannot prevent such vulnerability either. Therefore, the problem has to be tackled at the browser code level. For those using the popular webkit library, a countermeasure for the above mentioned vulnerability now exists in the form of a patch that I have created: https://bugs.webkit.org/show_bug.cgi?id=179886 Feel free to use it and/or redistribute it as long as you agree to the webkit license and keep the copyright notice intact. Regards, Guido