W3C home > Mailing lists > Public > public-webapi@w3.org > February 2008

Re: Security-sensitive headers

From: Collin Jackson <collinj@cs.stanford.edu>
Date: Tue, 19 Feb 2008 13:07:09 -0800
Message-ID: <986207e70802191307p21519db1u18b0fbcf029a55bf@mail.gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>
Cc: public-webapi@w3.org, "Adam Barth" <abarth@cs.stanford.edu>

On Feb 19, 2008 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
> On Tue, 19 Feb 2008 02:21:31 +0100, Collin Jackson
> <collinj@cs.stanford.edu> wrote:
> > Approach 1: Create a prefix denoting headers that are determined by
> > the user agent and cannot be overwritten by unprivileged JavaScript.
> > For example, "UA-" or "Sec-". This is the approach we prefer.
>
> Given that older clients and malicious clients will be vulnarable why is
> that not a problem going forward? I'm fine with doing this though.

The goal of security restrictions on headers is to protect a
non-malicious user agent's resources (IP address, cookies, etc.) from
being misused by mobile code that has been loaded by user agent. If
the user agent itself is malicious, there's nothing for the attacker
to steal that the attacker doesn't already control.

Correctly handling older user agents is certainly an important issue.
Older user agents will not be able to easily send cross-site
XMLHttpRequests, limiting the attacker's options. It is still be
possible to send cross-site XMLHttpRequests in older user agents using
DNS rebinding, but Host header checking can mitigate this issue. Users
can also upgrade their user agent to benefit from increased security.

> > Another related issue that would be good to standardize is the
> > handling of the Cookie header. Internet Explorer 6 and 7 doesn't
> > appear to allow Cookies to be set using XMLHttpRequest at all. Firefox
> > 2 allows pages to use XMLHttpRequest to set a Cookie header, but
> > merges the user-set header with the user agent header:
> >
> > Cookie: [actual cookies values]; [user-set Cookie header value]
> >
> > I've heard some arguments for removing Cookies from cross-site
> > XMLHttpRequests, which indicates to me that the Cookie header might be
> > a good candidate for adding to the security-sensitive list.
>
> What are those arguments?

The main issue with the Cookie header in cross-site XMLHttpRequests is
these cookies are considered third-party cookies because they can be
used by ad networks to track users across domains. Firefox 3 blocks
third-party cookies by default:
<http://kb.mozillazine.org/Network.cookie.cookieBehavior>

In addition to privacy concerns, there are some security concerns. GET
requests aren't supposed to have side effects. However, sometimes they
do so unintentionally (the server doesn't bother checking the
request's method) and sometimes they do so intentionally (e.g. adding
searches that you've made to your Google search history). Thus, a
cross-site GET request may be dangerous, even if the attacker can't
read back the response.

One technique to prevent cross-site request forgery is to use HTTP
headers. The Referer header isn't reliably present, and the
Referer-Root header isn't deployed yet, so instead you just define
your own header instead and make all requests using XMLHttpRequest.
The idea is that XMLHttpRequest can't be used to set headers across
origins, and a cross-domain form can't be used to set headers at all,
so if the request includes a custom header (e.g. X-CSRF-Defense) then
you know the request is legitimate. However, XMLHttpRequest Level 2
would allow an attacker to make a GET request with the user's cookies
that also includes the X-CSRF-Defense header. The attacker wouldn't be
able to read back the response (since the Access-Control information
is missing) but reading back the response is not necessary for a CSRF
attack. It may be safer not to send the user agent's cookies in a
cross-site request in this scenario.

Another technique to prevent cross-site request request forgery is to
store a session ID in a cookie and embed that session ID as a hidden
input field in every form. When the server receives a request, it
compares the cookie with the hidden input field and accepts the
request only if they are non-empty and equal. However, if the Cookie
header is not considered security-sensitive, XMLHttpRequest Level 2
would allow an attacker to make a GET request that includes a session
ID in both the a query parameter and the Cookie header. Since the
fields match, the server might be confused into accepting the request.
In this scenario, it may be safer not to allow the attacker to set a
Cookie header on the cross-site XMLHttpRequest.

These examples are not exhaustive, and I have no idea how many web
applications might be affected, but they do illustrate that the Cookie
header should be handled with care.

-- Collin Jackson
Received on Wednesday, 20 February 2008 16:44:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 16:44:21 GMT