Re: [access-control] non-GET authorization from Anne van Kesteren on 2007-10-19 (public-appformats@w3.org from October 2007)

From: Anne van Kesteren <annevk@opera.com>
Date: Fri, 19 Oct 2007 22:20:49 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t0gn4zmt64w2qv@annevk-t60.oslo.opera.com>

On Fri, 19 Oct 2007 01:44:37 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> 1) Perform a GET request to the same URI, use Content-Access headers in  
> combination and A with Allow header to authorize the non-GET request.
>
>    Pros:
>      * GET requests are common, understood and supported both server and
>        client side everywhere.
>    Cons:
>      * The GET request should be removed from caches by the following
>        non-GET request, thus requiring a special header in order to avoid
>        reauthorizing for every request.
>      * Non standard way of checking for allowed methods over HTTP

I think this is what we should go for, but it's not entirely clear to me  
what the details are yet. I'll first illustrate a scenario of how I expect  
this to work and then raise some questions about the specifics.

http://xss.invalid/a (a) lets user agent (UA) do an access request to  
http://xss.example.org/b (b) using the PUT HTTP method. UA first  
determines whether it has an entry in the access method check cache for b.  
This appears not to be the case so an access method check request is  
performed (first request):

   HTTP/1.1 GET /b
   ...
   Referer-Root: http://xss.invalid:80
   Method-Check: PUT

xss.example.org responds (first reply):

   ...
   Allow: GET, PUT
   Access-Control: allow <http://xss.invalid>
   Method-Check-Expires: ... (HTTP-date)

UA stores this response in the access method check cache with the correct  
expiry date. The user agent then does the actual (access) request because  
everything is ok so far (second request):

   HTTP/1.1 PUT /b
   ...
   Referer-Root: http://xss.invalid:80

and xss.example.org responds that it's ok again (second reply):

   ...
   Access-Control: allow <http://xss.invalid>

As for the questions:

1. Would the first reply be cached if it did not allow access (did not  
have Access-Control/<?access-control?>)?

2. Would the first reply be cached if the desired method was not listed in  
Allow?

3. Would it remain cached if the second reply did not allow access?

It makes sense to me if the answer to those questions is yes as the cache  
feature seems more like a contract between UA and b and not between a and  
b.

-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Friday, 19 October 2007 20:20:49 UTC