W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: XHR without user credentials

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 14 Jun 2009 02:16:59 -0700
Message-ID: <63df84f0906140216h41e01c02gce38466a0f308672@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Tyler Close <tyler.close@gmail.com>, "Mark S. Miller" <erights@google.com>, Anne van Kesteren <annevk@opera.com>, public-webapps <public-webapps@w3.org>
A few comments:

On Sat, Jun 13, 2009 at 5:39 AM, Tyler Close<tyler.close@gmail.com> wrote:
> On Fri, Jun 12, 2009 at 10:36 PM, Adam Barth<w3c@adambarth.com> wrote:
>>> Isn't your answer above only about client (user agent) behavior? I'd still
>>> like understand what the recommended/expected difference in server behavior
>>> should/might be depending of whether Origin is absent or null. Thanks.
>>
>> Suppose GuestXHR doesn't send an Origin header for any requests and a
>> server uses the algorithm in draft-abarth-origin to mitigate CSRF
>> attacks.  Now, an attacker can mount a CSRF attack against the server.
>
> Could you provide a bit more detail here? I don't understand how an
> attacker could mount a CSRF attack using GuestXHR, if there are no
> user credentials in a GuestXHR request.

User A is sitting inside a corporate firewall. Server B is also
located inside this firewall. Server C is located on the public
internet, outside the firewall. The firewall prevents server C from
making HTTP connections with server B, however both A and B can make
HTTP connections with C.

(This is a very common setup on corporate intranets)

Server B uses Caja or a similar technology to pull in a 3rd party JS
library, D, from server C, while still preventing D from using
XMLHttpRequest.

(This I believe is less common since Caja and similar technologies has
not yet been widely deployed. But as I understand it, this is the
environment where GuestXMLHttpRequest is intended to work. Please let
me know if this is not correct)

B now decides to allow D to create network connections using
GuestXMLHttpRequest.

Because of this, server C now gains the ability to make HTTP
connections to B, something that it was previously not able to do.
Meanwhile, B has previously not had to rely on any authentication
mechanisms since only users inside the corporate firewall was able to
connect to it. For example it could be supporting REST and allow users
to upload HTML files using PUT commands which are immediately hosted
and served from B.

This is similar to the IP authentication that Adam mentioned, but here
the server simply relies on that anyone that can connect to it, is a
trusted party. At least beyond the standard set of cross-site
connections that all browsers can do today (GET/HEAD/POST).

I believe this is a quite common thing to rely on. After all,
corporations wouldn't bother hosting things inside corporate firewalls
and demand that users had to use VPN in order to get access, if they
weren't relying on the firewalls for protection.

On Sat, Jun 13, 2009 at 2:45 PM, Adam Barth<w3c@adambarth.com> wrote:
> On Sat, Jun 13, 2009 at 12:20 PM, Tyler Close<tyler.close@gmail.com> wrote:
>> On Sat, Jun 13, 2009 at 10:23 AM, Adam Barth<w3c@adambarth.com> wrote:
>>> For example, GuestXHR could be used to mount a login CSRF attack.
>>
>> Are you sure about that? Since the response won't carry the
>> Access-Control-Allow-Origin header, the browser shouldn't set any
>> cookies. I don't see how this attack works.
>
> Why do you assume the response won't carry the header
> "Access-Control-Allow-Origin: *" ?  That just means the content of the
> response is public, which might well be true.

In mozillas implementation of "credential less channels", used to
implement credential-less CORS requests, even if the remote server
sets a cookie and sends "Access-Control-Allow-Origin: *", we won't
store that cookie. The request is essentially completely separated
from the rest of the user session, no cookies or other auth tokens are
read or saved, and no cache entries are read or saved.

I'm pretty sure the CORS spec requires this behavior.

If I recall correctly, we don't even reuse a keep-alive channel that
has been used to send credentials. Though the CORS spec does not
demand this.

So I don't think GuestXMLHttpRequest can be used to mount login CSRF attacks.

On Sat, Jun 13, 2009 at 3:49 PM, Tyler Close<tyler.close@gmail.com> wrote:
>> Which is why we're discussing servers that act use the Origin header
>> as a CSRF defense, as described in draft-abarth-origin.
>
> Ignoring the non-existence of such servers?

Of course. Any new spec is not going to have any users until there are
implementations. And very few users until there are many
implementations. Likewise, GuestXMLHttpRequest doesn't have users
right now, yet we are discussing deploying it, right?

/ Jonas
Received on Sunday, 14 June 2009 09:17:56 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT