W3C home > Mailing lists > Public > public-web-security@w3.org > May 2012

Re: same-origin assertions in the DNS (Fwd: [apps-discuss] draft-sullivan-domain-origin-assert-00)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 13 May 2012 03:55:38 -0700
Cc: Peter Saint-Andre <stpeter@stpeter.im>, Thomas Roessler <tlr@w3.org>, public-web-security <public-web-security@w3.org>
Message-id: <2AB8E28B-9324-435C-B7D7-EB6684619331@apple.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>

On May 10, 2012, at 7:06 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:

> Hi,
> 
> I see this message now.  Thanks for the review.
> 
> On Wed, May 09, 2012 at 10:10:34PM -0700, Maciej Stachowiak wrote:
>> 
>> The Internet-Draft is pretty vague about what browsers should do
>> with this info, but it states:
> 
> The I-D is vague about that partly because I just don't know what
> browsers or any other client should do with the info.  The basic idea
> is to make some information available so that people _could_ do things
> with that information; as matters stand, the information is (or at
> least, I've been led to believe it is) not available at all.

OK. It's hard to evaluate the merit of the idea without more specifics about what clients could do with the info. Some plausible inferences about how might use the info seem insecure. It may be that there are valid use cases for the info that can be implemented securely. I think it may be necessary to spell out the intended uses of the info to evaluate whether it is in fact useful in the form suggested by the Internet-Draft.

> 
>> Treating separate domains as same-origin based on DNS records seems
>> extremely dangerous, with little counter-balancing benefit (it would
>> not actually be usable until implemented in a large majority of
>> browsers, and there's safer ways to communicate between different
>> origins). In addition to the obvious XSS dangers, consider also how
>> this feature might combine with DNS rebinding attacks.
> 
> A clue about these safer ways would be most helpful to me.

One example of a safe way to communicate between different domains on the browser client side (i.e. do something like "cross-document information sharing in ECMAScript DOM") is the postMessage API. <http://dev.w3.org/html5/postmsg/>

>  Everything
> I've encountered so far suggests to me that people are making
> decisions based partly on the name of the server to which they're
> connecting.  I'd be pleased as punch to learn that I'm completely
> wrong about that, though.

You are roughly correct. Many decisions about security in a Web client are based on a notion of "same origin" which is based partly on the name of the host that established the security context (not necessarily the one you're "connecting to" in all cases; it's unfortunately somewhat complicated).

Regards,
Maciej
Received on Sunday, 13 May 2012 10:55:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 13 May 2012 10:55:59 GMT