W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Sat, 18 Feb 2012 16:51:14 +0100
Message-ID: <1329580274.27771.14.camel@home.hno.se>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
fre 2012-02-17 klockan 15:08 -0800 skrev Martin Thomson:


> Damn, I can be dense sometimes.  Obviously, if I can convince you to
> send me a POST that says "transfer $10 to acct number X" (which is
> trivially easy) and then redirect you to your bank, if you have an
> open session and the bank doesn't check Referer (though that wouldn't
> necessarily help), you've just made an easy $10.

Yes.

> Are there any measures that browsers could take to limit this sort of
> thing?

Yes, and they do to various degree.

> Just off the cuff, it seems to me that a method preserving redirect
> (307, 308) should almost operate in the same sort of security context
> as a cross domain request (CORS).  That means that user credentials
> are removed unless the target resource explicitly accepts them.  Or
> you could just take the position that this is a problem for the target
> site.

It's a problem for all involved.

user-agent should limit the exposure of automatic cross-domain actions
other than GET.

Non-safe methods (i.e. mostly anything except for HEAD/GET) should not
be automatically retried on redirect.

Origin servers with user-sensitive actions performed via POST need to
use embedded session parameters to protect from cross-domain actions
(i.e. embedded one-time parameter in forms to verify the origin of the
submitting form)

Regards
Henrik
Received on Saturday, 18 February 2012 15:52:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT