[access-control] non-GET threat model and authorization choreography from Henri Sivonen on 2007-10-05 (public-appformats@w3.org from October 2007)

From: Henri Sivonen <hsivonen@iki.fi>
Date: Fri, 5 Oct 2007 15:23:12 +0300
To: public-appformats@w3.org
Message-Id: <34344F44-FF53-4C68-930F-A9C43FB91514@iki.fi>

I sought to implement access-control for Validator.nu today. Some  
issues came up.

What's the expected threat of a browser performing a non-GET request  
without being pre-authorized if the response isn't revealed to  
scripts if the required Access-Control authorization isn't there?  
Presumably, the danger is that e.g. a POST could change the state of  
the server-side app. But server-side apps need to be resilient  
against random POSTs anyway. Is the expectation that the browser  
would send login credentials automatically with a cross-domain XHR  
POST? Could those credentials be omitted (until the server  
demonstrates access-control and Referer-Root awareness) so that non- 
GET methods could be tried optimistically? Some services, like  
Validator.nu, don't require login, so as far as the server is  
concerned, it could handle such an optimistic POST.

As for the mechanism for authorizing non-GET methods, why isn't  
OPTIONS used? The purpose of the request isn't to retrieve a resource  
representation, which is what GET is for. OTOH, the purpose of  
OPTIONS is to probe allowed methods. The Allow header on OPTIONS  
responses does not demonstrate that the server knows about cross- 
domain XHR semantics, but another header name such as Access-Control- 
Allow on an OPTIONS response could be used to signal that the server  
responding to OPTIONS has knows about access-control and has had the  
opportunity to examine Referer-Root.

In any case, it would help implementors if the spec was clearer about  
the exact choreography prior to a non-GET request. Now it isn't clear  
whether the server should include an Allow header on all GET  
responses just in case. Also, it isn't clear whether Method-Check  
will only be present on authorization probes. That is, it isn't clear  
if it is always safe to respond with 204 No Content to responses with  
the Method-Check header.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Friday, 5 October 2007 12:23:48 UTC