W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: HTTPbis and the Same Origin Policy

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 3 Dec 2009 12:31:12 -0800
Message-ID: <5691356f0912031231j77913d43p7bf67f4f290ea6d9@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Adam Barth <w3c@adambarth.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Julian Reschke <julian.reschke@gmx.de>, public-web-security@w3.org
On Thu, Dec 3, 2009 at 12:24 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Dec 3, 2009, at 12:10 PM, Tyler Close wrote:
>
>> On Thu, Dec 3, 2009 at 10:37 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>>>
>>> Do you see an actual flaw in my reasoning as applied to the command-line
>>> tool in question?
>>
>> Sending a POST request with Content-Type application/xml using a
>> webbot is a likely thing to do and the redirect attack would not be
>> prevented by either of the mitigations you listed.
>
> How does that affect my original point 1? To recap, my point 1 was that if
> you send no credentials, only resources behind firewalls face potential
> vulnerability from redirects. This is so because such a request could be
> sent by the potential attacker directly, without involving a redirect. I
> believe this remains the case even if you send a POST request with
> Content-Type application/xml.

Yes, only resources that depend solely on a firewall (or client IP
address) for access-control are vulnerable to the redirect attack.
Such resources are common enough that the webbot must not violate
their expected security model.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Thursday, 3 December 2009 20:31:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT