W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Andrew Sullivan <ajs@anvilwalrusden.com>
Date: Thu, 10 May 2012 02:25:58 -0400
To: Henrik Nordström <henrik@henriknordstrom.net>
Cc: Maciej Stachowiak <mjs@apple.com>, Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-ID: <20120510062455.GA13984@mail.yitter.info>
Hi,

I'm responding to two messages at once because I didn't receive the
earlier of these.  I should note that I'm not actually a subscriber to
any w3c list, and so if one wants me to address a particular objection
one needs to cc: me for the time being.  I appreciate the comments,
however!

On Thu, May 10, 2012 at 07:17:40AM +0200, Henrik Nordström wrote:
> ons 2012-05-09 klockan 22:10 -0700 skrev Maciej Stachowiak:
> 
> > Treating separate domains as same-origin based on DNS records seems
> > extremely dangerous

I'm not sure how I can respond to this objection, given that the
entire idea of "same origin" without DNS is hard for me to understand.
What do you mean by it?  I think the draft actually points out that,
if both sides don't agree or you're not using DNSSEC (or both), there
are problems.  Is that not clear enough?

> Further, the user-agent may be using proxies, not using or even having
> access to DNS.

Indeed, and I thought I called that out as one of the central
problems:

6.  Limitations of the approach
[…]
   Finally, in many environments the system hosting the application has
   only proxied access to the Internet, and cannot query the DNS
   directly.  It is not clear how such clients could ever possibly
   retrieve the BOUND record for a name.

Is that not clear enough?  What would make it clearer?

Best,

A  

-- 
Andrew Sullivan
ajs@anvilwalrusden.com
Received on Thursday, 10 May 2012 06:27:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 10 May 2012 06:27:24 GMT