W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: Same Origin Policy and HTTP Authentication

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 7 Dec 2010 10:53:35 +1100
Cc: ietf-http-wg@w3.org
Message-Id: <19BC3924-2E41-43D3-84B7-1D31A528CCD7@mnot.net>
To: Chirag Shah <chiragshah1@gmail.com>

Changing how HTTP authentication works is explicitly out of scope for this WG, although you will likely find people willing to discuss it here.

Although there are a number of places that might be appropriate for this discussion, it might actually be most helpful for you to give this as feedback to the W3C CORS specification:


... as they're discussing what is effectively a policy mechanism for cross-site requests.

Kind regards,

On 06/12/2010, at 5:43 AM, Chirag Shah wrote:

> Hey httpbis,
> Cross Site HTTP Authentication seems is an obscure phishing vector
> thatís often overlooked across the web and sometimes difficult to
> workaround. When the WWW-Authenticate header is presented to a
> user-agent, it will prompt the user for a user name and password .
> This is a problem because when a webpage is loaded, any external
> resource requested by that page can request HTTP Authentication and
> trigger this dialog. At this point, it isn't entirely obvious that the
> user name/password is being sent to the external resource.
> One way to address this issue is by disallowing HTTP Authentication
> for external resources loaded by a webpage by following a variant of
> the same-origin-policy.
> Proposed change in user agent behavior:
> When the page http://good.com/resource is rendered, the following
> table outlines how external resources (requiring Authentication) could
> be treated.
> http://evil.com/auth.png           -      Auth Failure - Different domain
> http://good.com/auth.png        -      Auth Success - Same domain
> ws://good.com/secure.htm     -     Auth Failure Different protocol
> http://good.com:99/auth.png   -      Auth Failure - Different port
> http://1.good.com/auth.png     -      Auth Failure - Different host
> Does it make sense to update RFC 2617 to account for this issue?
> References:
> Cross Site HTTP Authentication:
> http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth
> HTTP Authentication: http://www.ietf.org/rfc/rfc2617.txt
> The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06
> Thank you,
> Chirag Shah - http://chiarg.com

Mark Nottingham   http://www.mnot.net/
Received on Monday, 6 December 2010 23:54:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:55 UTC