Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00) from Andrew Sullivan on 2012-05-10 (public-web-security@w3.org from May 2012)

From: Andrew Sullivan <ajs@anvilwalrusden.com>
Date: Thu, 10 May 2012 10:06:13 -0400
To: Maciej Stachowiak <mjs@apple.com>
Cc: Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-ID: <20120510140609.GD14275@mail.yitter.info>

Hi,

I see this message now.  Thanks for the review.

On Wed, May 09, 2012 at 10:10:34PM -0700, Maciej Stachowiak wrote:
> 
> The Internet-Draft is pretty vague about what browsers should do
> with this info, but it states:

The I-D is vague about that partly because I just don't know what
browsers or any other client should do with the info.  The basic idea
is to make some information available so that people _could_ do things
with that information; as matters stand, the information is (or at
least, I've been led to believe it is) not available at all.

> Treating separate domains as same-origin based on DNS records seems
> extremely dangerous, with little counter-balancing benefit (it would
> not actually be usable until implemented in a large majority of
> browsers, and there's safer ways to communicate between different
> origins). In addition to the obvious XSS dangers, consider also how
> this feature might combine with DNS rebinding attacks.

A clue about these safer ways would be most helpful to me.  Everything
I've encountered so far suggests to me that people are making
decisions based partly on the name of the server to which they're
connecting.  I'd be pleased as punch to learn that I'm completely
wrong about that, though.

> And finally, this draft does not account for the scheme and port,
> which are also part of the origin tuple.

This is a helpful observation; thanks.  It suggests that either the
new RRTYPE would need a way of expressing those additional details, or
maybe that the new RRTYPE is a mistake and that this should all be
done with underscore labels and NAPTR records.  One could put the
scheme and port data into the RDATA in order to distinguish cases this
way.  Would that help?

I fully agree with the worries, expressed a couple times now, about
deployability.  I wish I had a good answer to them; it's certainly my
(own) strongest objection to the idea.

Best,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

Received on Thursday, 10 May 2012 14:06:41 UTC