Re: [AC] Helping server admins not making mistakes from Thomas Roessler on 2008-06-10 (public-appformats@w3.org from June 2008)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 10 Jun 2008 10:05:06 +0200
To: Jonas Sicking <jonas@sicking.cc>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20080610080506.GH860@iCoaster.does-not-exist.org>

On 2008-06-09 17:56:17 -0700, Jonas Sicking wrote:

> There is in fact already a standardized header that falls into the third 
> category. The "Range" header currently does allow attacks. Consider the 
> following:

> In our bug management system anyone can write comments about any bug. 
> Occasionally some of these comments get marked as "security private" since 
> they mention security sensitive things, only people in the "security group" 
> can read these private comments.
>
> An attacker could write a comment containing the text
> <?Access-Control allow="*"?><foo>
>
> The attacker would then set up a website that performed a cross-site XHR 
> request to the bug page with a "Range" header stating that the part starting 
> at the text he wrote, to the end of the document should be downloaded. The 
> Access-Control implementation would see a document starting with the 
> Access-Control PI followed by an element tag. 

Interesting example.  Three thoughts on it:

 - There needs to be a security consideration about Range, and not
   getting fooled by it -- since, frankly, the implementation you
   describe above is flawed.

 - Can we get rid of the processing instruction already?
 
 - Wouldn't be a problem if we went for a model in which the amount
   of flexibility in the client is minimal, effectively forcing
   developers to put the enforcement into the server.

> This is easy enough to fix for the Range header. All we need to
> do is to say that Access-Control PIs should not be honored if a
> Range header is specified.

ack

> However we could obviously not apply the same fix if other custom
> headers have the same problem.

Indeed.  But maybe the fix here is really to drop the processing
instruction and rely on headers only.

> Also, for what it's worth, this is a good example of when it
> would be useful to be able to specify that you want to support
> Access-Control, but only support it without cookies. That way we
> could allow mashups with our bug database, without worrying about
> leaking private comments.

If you're really concerned about private comments, you'd probably
want to actually check Access-Control-Origin on the server and set
appropriate Vary headers, no?

-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Tuesday, 10 June 2008 12:25:17 UTC