W3C home > Mailing lists > Public > public-appformats@w3.org > November 2007

Re: Design issues for access-control

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 05 Nov 2007 06:13:01 -0500
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Thomas Roessler" <tlr@w3.org>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t1bf3zn564w2qv@annevk-t60.oslo.opera.com>

On Mon, 05 Nov 2007 03:25:39 -0500, Jonas Sicking <jonas@sicking.cc> wrote:
> I have heard arguments that the site might not want to broadcast who it  
> is authorizing. However this could effectively be figured out still by  
> simply brute-force testing all interesting servers and methods directly  
> from an evil server to the target server. No browser involved, simply  
> send HTTP requests containing Referer-Root and Method-Check headers.

This wouldn't work if you had to authorize (either through cookies or HTTP  
authentication) before getting to the actual document.

> Another thing that occurred to me is does HTTP caches take the full set  
> of request headers into account when caching? Otherwise it could be  
> directly harmful to include Referer-Root and Method-Check headers. The  
> cache might store an "authorize" reply when the request is made for  
> Referer-Root A and wrongly respond with the same document is checked for  
> Referer-Root B.

The authentication request cache is a seperate thing that uses the  
Referer-Root and request URI as "primary key". Or do you mean something  

Anne van Kesteren
Received on Monday, 5 November 2007 11:13:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:08 UTC