W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 03 Dec 2009 12:24:11 -0800
Cc: Adam Barth <w3c@adambarth.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Julian Reschke <julian.reschke@gmx.de>, public-web-security@w3.org
Message-id: <808F6EF1-F3FA-48DF-9B52-4C9604C138DE@apple.com>
To: Tyler Close <tyler.close@gmail.com>

On Dec 3, 2009, at 12:10 PM, Tyler Close wrote:

> On Thu, Dec 3, 2009 at 10:37 AM, Maciej Stachowiak <mjs@apple.com>  
> wrote:
>> Do you see an actual flaw in my reasoning as applied to the command- 
>> line
>> tool in question?
>
> Sending a POST request with Content-Type application/xml using a
> webbot is a likely thing to do and the redirect attack would not be
> prevented by either of the mitigations you listed.

How does that affect my original point 1? To recap, my point 1 was  
that if you send no credentials, only resources behind firewalls face  
potential vulnerability from redirects. This is so because such a  
request could be sent by the potential attacker directly, without  
involving a redirect. I believe this remains the case even if you send  
a POST request with Content-Type application/xml.

Regards,
Maciej
Received on Thursday, 3 December 2009 20:24:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT