W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 2 Dec 2009 11:36:22 -0800
Message-ID: <5691356f0912021136m4c406777h71a5b203ecf37d90@mail.gmail.com>
To: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Cc: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>, public-web-security@w3.org
Meta note: This message is CC'd to both ietf-http-wg and the new
public-web-security list
<http://lists.w3.org/Archives/Public/public-web-security/>. I gather
that TPTB want this discussion moved to public-web-security, so please
treat this email as the splice in the conversation and remove
ietf-http-wg from the CC list of any replies.

On Mon, Nov 30, 2009 at 8:28 PM, "Martin J. Dürst"
<duerst@it.aoyama.ac.jp> wrote:
> On 2009/12/01 4:00, Tyler Close wrote:
>
>> Consider a webbot that sends a PUT request to a resource on the
>> open Internet, which responds with a 307 to a resource behind the same
>> firewall as the webbot. The webbot has essentially punched a hole in
>> the firewall.
>
> Yes, the webbot has done this. One has to be very careful when running stuff
> such as webbots, make sure they are either inside or outside the firewall,
> but not both, unless you know exactly what you're doing. This not only
> applies to PUTs, but also to GETs.

Yes, where obeying SOP rules is part of how you "be very careful".

> On the other hand, if I write (e.g. using libcurl or whatever) a "webbot"
> that periodically checks the balance on one of my bank accounts and
> transfers money from another bank account of mine if the balance on the
> first bank account is low, then I don't see why anybody would want to forbid
> this.

I am *not* suggesting it should be forbidden. Just as a user-agent
permits a user to copy-paste data between origins, so should a webbot
be permitted to do the same. The SOP rules apply to what content from
a given origin may be allowed to do, not to what the user may do. For
example, using your scenario, content from the first bank account (the
one you're are checking the balance of), should not be able to
determine the balance of the "another bank account". Only the webbot
should be able to do this.

This same reasoning applies to the "stylebot" example in Adam Barth's
message. The "stylebot" can be implemented without violating SOP
restrictions.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 2 December 2009 19:37:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT