Re: HTTPbis and the Same Origin Policy

On Thu, Dec 3, 2009 at 12:24 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Dec 3, 2009, at 12:10 PM, Tyler Close wrote:
>
>> On Thu, Dec 3, 2009 at 10:37 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>>>
>>> Do you see an actual flaw in my reasoning as applied to the command-line
>>> tool in question?
>>
>> Sending a POST request with Content-Type application/xml using a
>> webbot is a likely thing to do and the redirect attack would not be
>> prevented by either of the mitigations you listed.
>
> How does that affect my original point 1? To recap, my point 1 was that if
> you send no credentials, only resources behind firewalls face potential
> vulnerability from redirects. This is so because such a request could be
> sent by the potential attacker directly, without involving a redirect. I
> believe this remains the case even if you send a POST request with
> Content-Type application/xml.

Yes, only resources that depend solely on a firewall (or client IP
address) for access-control are vulnerable to the redirect attack.
Such resources are common enough that the webbot must not violate
their expected security model.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Thursday, 3 December 2009 20:31:52 UTC