Re: [sysapps/runtime] cross origin XHR in packaged apps from Marcos Caceres on 2013-04-08 (public-sysapps@w3.org from April 2013)

From: Marcos Caceres <w3c@marcosc.com>
Date: Mon, 8 Apr 2013 09:50:34 +0100
To: John Lyle <john.lyle@cs.ox.ac.uk>
Cc: "public-sysapps@w3.org" <public-sysapps@w3.org>
Message-ID: <3BC2BC65988943ADBA7D2134BE7EB2B0@marcosc.com>

On Monday, April 8, 2013 at 9:26 AM, John Lyle wrote:

> On 08/04/2013 10:08, Marcos Caceres wrote:
> > 
> > > On Monday, April 8, 2013 at 8:17 AM, John Lyle wrote:
> > > 
> > > (1) The app developer should define the origins with which the app
> > > needs to communicate (definition of least privilege)
> > 
> > 
> > 
> > To clarify, by "define" I think you mean the app developer should
> > attempt to access the origins through some means (e.g., XHR, an img
> > tag, a script tag, etc.). CSP rules in the manifest may intervene at
> > this point. But you don't mean that the app developer declares those
> > origins in a list within the JSON manifest, right?
> 
> 
> 
> In some situations, they absolutely could declare those required origins in the manifest. That's the model Chrome uses for extensions (CSP) and how WARP works, right?
That's right, but I thought we were arguing that that model is flawed (or, at least, I'm arguing that WARP and Chrome's model is flawed and fragile).
> 
> I'm not suggesting this is always necessary or a good idea, but it's one method for imposing least-privilege restrictions on the application.

I would support this in as far as the manifest supports CSP declarations that are a list of URIs.   
> This is what Jonas was proposing in his message on 01/04 (I'm hoping not an April fools joke). It would significantly narrow the scope of a web application in many cases, even if not in all.

But isn't limiting the application to only one origin better from a least-privilege perspective? That way, policy and security decisions are just "same origin", and CSP can be easily and predictively applied by the UA. 

Again, this comes down to getting consensus in this group that CORS and CSP are the ways to secure these applications (and that for certain privileged applications it is ok to fake the origin). I'm not proposing that all packaged apps are granted the ability to fake their origin, but some might if they have good reason to do so. 

All other packaged applications just run off app:// as the origin with maybe a human friendly rewrite of the Refer: or new HTTP header (to give some means for a server to know which packaged app it is communicating with). Cross-origin requests are then handled by CORS, and a server may choose to grant access to the unique app:// origin based on the Refer (or other HTTP header). 

Yes, this requires work on the server side, but for most cases Access-Control-Allow-Origin is going to be "*". 

-- 
Marcos Caceres

Received on Monday, 8 April 2013 08:51:07 UTC