W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: #144: Attacks from Same Host (OppSec)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 11 Mar 2016 16:27:28 +1100
Cc: HTTP WG <ietf-http-wg@w3.org>
Message-Id: <358D85C8-5FC3-4504-8C86-A5ECCCE2C0E3@mnot.net>
To: Martin Thomson <martin.thomson@gmail.com>
OK, I merged this and did some editorial adjustments, see:
  https://github.com/httpwg/http-extensions/compare/ab374d6...master?name=master&short_path=fd50b7c#diff-fd50b7c5883e57d650fa3ac7f47c12f9

Martin, one question -- right now, it's written in such a way that 'commit' is effectively an optional feature (for servers *and* clients). Was that your intent, and if so should it be made more explicit? Right now, it's a bit confusing because you use both "requiring" and "clients can" regarding this feature.

If folks are OK with all of that, I think we can close #67, #144 and #145:
  https://github.com/httpwg/http-extensions/issues?q=is%3Aopen+is%3Aissue+label%3Aopp-sec

The only thing remaining then is Kari's suggestion that the .well-known file also include the alternatives, to mitigate the case when an attacker has 1) the ability to inject response headers, 2) the ability to listen on a port on the same host, and 3) doesn't have the ability to modify .well-known (AKA "shared hosting w/ shell access").

Thoughts?


> On 8 Mar 2016, at 2:55 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 8 March 2016 at 13:54, Mark Nottingham <mnot@mnot.net> wrote:
>> OK, I've taken a stab at this here:
>>  https://github.com/httpwg/http-extensions/commit/c7324f4804f
> 
> That looks like what we discussed.
> 
>> Martin, I just left the HTTP-TLS stuff in for now; Martin, do you want to try to integrate it into the well-known stuff?
> 
> See https://github.com/httpwg/http-extensions/pull/151
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Friday, 11 March 2016 05:28:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC