W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

Re: [access-control] non same-origin to same-origin redirect

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 06 Oct 2008 11:19:00 -0700
Message-ID: <48EA5694.2090608@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>
CC: WebApps WG <public-webapps@w3.org>

Anne van Kesteren wrote:
> On Fri, 03 Oct 2008 14:10:43 +0200, Anne van Kesteren <annevk@opera.com> 
> wrote:
>> Since Jonas didn't e-mail about this I thought I would. Say 
>> http://x.example/x does a request to http://y.example/y. 
>> http://y.example/y redirects to http://x.example/y. If this request 
>> were to use the Access Control specification the algorithm would have 
>> a status return flag set to "same-origin" and a url return flag set to 
>> http://x.example/y. XMLHttpRequest Level 2 would then attempt a same 
>> origin request to http://x.example/y.
>> For simplicity and to err on the side of security it has been 
>> suggested to remove the status return flag "same-origin" and simply 
>> keep following the normal rules. This would mean that if that request 
>> were to be successful http://x.example/y would need to include 
>> Access-Control-Allow-Origin: http://x.example (or a value * would also 
>> be ok if the credentials flag is false). I'm planning on making this 
>> change in the next few days.
> I updated both Access Control and XMLHttpRequest Level 2 to no longer 
> special case the scenario where during a non same origin request you're 
> redirected to a same origin URL. Both specifications use the "status 
> flag" (previously known as the "status return flag") and the "url return 
> flag" is gone.

I think this the is better of the two alternatives.

The scenario that I am worried about is a page on server sensitive.com 
reads public data from evil.com. However if evil.com redirects back to a 
private resource on sensitive.com sensitive.com might be dealing with 
sensitive user-private data without being aware of it. This seems scary 
and could lead to the data being stored or published somewhere unsafe.

Things still aren't perfect since it's strange that a site has to trust 
itself. And that if it does it'd be back in the somewhat scary situation 
described above, but it's at least somewhat better IMHO.

/ Jonas
Received on Monday, 6 October 2008 18:21:58 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:12 UTC