W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Same Origin Policy and HTTP Authentication

From: Chirag Shah <chiragshah1@gmail.com>
Date: Sun, 05 Dec 2010 18:43:27 +0000
Message-ID: <AANLkTimXusQ6aTg6f==GZ7p1SJuVKvU1Pd8ZO-ZeJ_nN@mail.gmail.com>
To: ietf-http-wg@w3.org
Hey httpbis,

Cross Site HTTP Authentication seems is an obscure phishing vector
that’s often overlooked across the web and sometimes difficult to
workaround. When the WWW-Authenticate header is presented to a
user-agent, it will prompt the user for a user name and password .

This is a problem because when a webpage is loaded, any external
resource requested by that page can request HTTP Authentication and
trigger this dialog. At this point, it isn't entirely obvious that the
user name/password is being sent to the external resource.

One way to address this issue is by disallowing HTTP Authentication
for external resources loaded by a webpage by following a variant of
the same-origin-policy.

Proposed change in user agent behavior:
When the page http://good.com/resource is rendered, the following
table outlines how external resources (requiring Authentication) could
be treated.

http://evil.com/auth.png           -      Auth Failure - Different domain
http://good.com/auth.png        -      Auth Success - Same domain
ws://good.com/secure.htm     -     Auth Failure Different protocol
http://good.com:99/auth.png   -      Auth Failure - Different port
http://1.good.com/auth.png     -      Auth Failure - Different host

Does it make sense to update RFC 2617 to account for this issue?


References:
Cross Site HTTP Authentication:
http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth
HTTP Authentication: http://www.ietf.org/rfc/rfc2617.txt
The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06


Thank you,
Chirag Shah - http://chiarg.com
Received on Monday, 6 December 2010 09:47:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:33 GMT