- From: Jon Ferraiolo <jferrai@us.ibm.com>
- Date: Tue, 10 Jun 2008 14:26:29 -0700
- To: Thomas Roessler <tlr@w3.org>
- Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
- Message-ID: <OF51459B5D.84C50A8A-ON88257464.0074E19A-88257464.0075C838@us.ibm.com>
I am all for dropping the PI. The benefit/cost ratio from the PI isn't high
enough. Only a subset of transmitted content will be XML (versus JSON,
plain text, innerHTML snippets, etc.). It would be better to simplify and
just offer one mechanism (i.e., HTTP headers).
Jon
Thomas Roessler
<tlr@w3.org>
Sent by: To
public-appformats Jonas Sicking <jonas@sicking.cc>
-request@w3.org cc
Bjoern Hoehrmann
<derhoermi@gmx.net>, "WAF WG
06/10/08 01:05 AM (public)"
<public-appformats@w3.org>
Subject
Re: [AC] Helping server admins not
making mistakes
On 2008-06-09 17:56:17 -0700, Jonas Sicking wrote:
> There is in fact already a standardized header that falls into the third
> category. The "Range" header currently does allow attacks. Consider the
> following:
> In our bug management system anyone can write comments about any bug.
> Occasionally some of these comments get marked as "security private"
since
> they mention security sensitive things, only people in the "security
group"
> can read these private comments.
>
> An attacker could write a comment containing the text
> <?Access-Control allow="*"?><foo>
>
> The attacker would then set up a website that performed a cross-site XHR
> request to the bug page with a "Range" header stating that the part
starting
> at the text he wrote, to the end of the document should be downloaded.
The
> Access-Control implementation would see a document starting with the
> Access-Control PI followed by an element tag.
Interesting example. Three thoughts on it:
- There needs to be a security consideration about Range, and not
getting fooled by it -- since, frankly, the implementation you
describe above is flawed.
- Can we get rid of the processing instruction already?
- Wouldn't be a problem if we went for a model in which the amount
of flexibility in the client is minimal, effectively forcing
developers to put the enforcement into the server.
> This is easy enough to fix for the Range header. All we need to
> do is to say that Access-Control PIs should not be honored if a
> Range header is specified.
ack
> However we could obviously not apply the same fix if other custom
> headers have the same problem.
Indeed. But maybe the fix here is really to drop the processing
instruction and rely on headers only.
> Also, for what it's worth, this is a good example of when it
> would be useful to be able to specify that you want to support
> Access-Control, but only support it without cookies. That way we
> could allow mashups with our bug database, without worrying about
> leaking private comments.
If you're really concerned about private comments, you'd probably
want to actually check Access-Control-Origin on the server and set
appropriate Vary headers, no?
--
Thomas Roessler, W3C <tlr@w3.org>
Attachments
- image/gif attachment: graycol.gif
- image/gif attachment: pic08890.gif
- image/gif attachment: ecblank.gif
Received on Tuesday, 10 June 2008 22:17:11 UTC