W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?)

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 21 Dec 2009 10:26:27 -0800
Message-ID: <5691356f0912211026m5fe69e5fqa84cff17217199a2@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
On Thu, Dec 17, 2009 at 5:49 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Thu, 17 Dec 2009, Tyler Close wrote:
>> Starting from the X-FRAME-OPTIONS proposal, say the response header
>> also applies to all embedding that the page renderer does. So it also
>> covers <img>, <video>, etc. In addition to the current values, the
>> header can also list hostname patterns that may embed the content. So,
>> in your case:
>> X-FRAME-OPTIONS: *.example.com
>> Access-Control-Allow-Origin: *
>> Which means anyone can access this content, but sites outside
>> *.example.com should host their own copy, rather than framing or
>> otherwise directly embedding my copy.
> Why is this better than:
>   Access-Control-Allow-Origin: *.example.com

X-FRAME-OPTIONS is a rendering instruction and
Access-Control-Allow-Origin is part of an access-control mechanism.
Combining the two in the way you propose creates an access-control
mechanism that is inherently vulnerable to CSRF-like attacks, because
it determines read access to bits based on the identity of the

Using your example, assume an XML resource sitting on an intranet
server at resources.example.com. The author of this resource is trying
to restrict access to the XML data to only other intranet resources
hosted at *.example.com. The author believes this can be accomplished
by simply setting the Access-Control-Allow-Origin header as you've
show above, but that's not strictly true. Every page hosted on
*.example.com is now a potential target for a CSRF-like attack that
reveals the secret data. For example, consider a page at
victim.example.com that uses a third party storage service. To copy
data, the page does a GET on the location of the existing data,
followed by a POST to another location with the data to be copied. If
the storage service says the location of the existing data is the URL
for the secret XML data (http://resources.example.com/...), then the
victim page suffers a CSRF-like attack that exposes the secret data.
The victim page may know nothing of the existence or purpose of the
secret XML resource.

To avoid this pitfall, we instead design the access-control mechanism
to not create these traps. With the bogus technique removed, the
author of a protected resource can now choose amongst techniques that
actually work.

To address your bandwidth stealing concerns, and other similar issues,
we define X-FRAME-OPTIONS so that a resource author can inform the
browser's renderer of these preferences. So your XBL resource can
declare that it was only expecting to be applied to another resource
from *.example.com. The browser can detect this misconfiguration and
raise an error notification.

By separating the two mechanisms, we make the access-control model
clear and correct, while still providing the rendering control you


"Waterken News: Capability security on the Web"
Received on Monday, 21 December 2009 18:27:00 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:21 UTC