W3C home > Mailing lists > Public > public-appformats@w3.org > June 2008

Re: [AC] Helping server admins not making mistakes

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 10 Jun 2008 16:51:29 -0700
Message-ID: <484F1381.1050806@sicking.cc>
To: Jonas Sicking <jonas@sicking.cc>, Bjoern Hoehrmann <derhoermi@gmx.net>, "WAF WG (public)" <public-appformats@w3.org> 

Thomas Roessler wrote:
> On 2008-06-09 17:56:17 -0700, Jonas Sicking wrote:
> 
>> There is in fact already a standardized header that falls into the third 
>> category. The "Range" header currently does allow attacks. Consider the 
>> following:
> 
>> In our bug management system anyone can write comments about any bug. 
>> Occasionally some of these comments get marked as "security private" since 
>> they mention security sensitive things, only people in the "security group" 
>> can read these private comments.
>>
>> An attacker could write a comment containing the text
>> <?Access-Control allow="*"?><foo>
>>
>> The attacker would then set up a website that performed a cross-site XHR 
>> request to the bug page with a "Range" header stating that the part starting 
>> at the text he wrote, to the end of the document should be downloaded. The 
>> Access-Control implementation would see a document starting with the 
>> Access-Control PI followed by an element tag. 
> 
> Interesting example.  Three thoughts on it:
> 
>  - There needs to be a security consideration about Range, and not
>    getting fooled by it -- since, frankly, the implementation you
>    describe above is flawed.

Which implementation is flawed?

>  - Can we get rid of the processing instruction already?

I would actually be ok with that. But I know others have expressed a 
strong opinion to keep it.

>  - Wouldn't be a problem if we went for a model in which the amount
>    of flexibility in the client is minimal, effectively forcing
>    developers to put the enforcement into the server.

How is that?

>> However we could obviously not apply the same fix if other custom
>> headers have the same problem.
> 
> Indeed.  But maybe the fix here is really to drop the processing
> instruction and rely on headers only.

Right, but that would still only solve some of the dangerous server 
features I described. It wouldn't solve a header that stitches two 
resources together, or that allowed insertion of a custom header in the 
reply.

>> Also, for what it's worth, this is a good example of when it
>> would be useful to be able to specify that you want to support
>> Access-Control, but only support it without cookies. That way we
>> could allow mashups with our bug database, without worrying about
>> leaking private comments.
> 
> If you're really concerned about private comments, you'd probably
> want to actually check Access-Control-Origin on the server and set
> appropriate Vary headers, no?

Yes, we could ignore the cookies whenever the Access-Control-Origin 
header is sent. Or strip out the sensitive parts of the page. But that 
is much harder than simply not opting in to getting cookies.

/ Jonas
Received on Wednesday, 11 June 2008 00:02:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 11 June 2008 00:02:03 GMT