W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Feedback on UMP from a quick read

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 8 Jan 2010 15:56:06 -0800
Message-ID: <7789133a1001081556vc348809o7e875663baecc822@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close <tyler.close@gmail.com> wrote:
> There are two uses for this requirement:
> 1. On browsers that don't yet support any cross-domain API, it would
> be nice to emulate support by routing the request through the
> requestor's Origin server. To help ensure the response is the same
> whether it was sent directly from the user agent or via the Origin
> server, we omit any information about the sending software.

If this is an important consideration, then the server software can
just copy the relevant headers.  I'm not sure there's a good security
case to be made here for deviating from standard operating procedure.
It seems quite sensible to send an Accept header of */* instead of
omitting the header.

> 2. Omitting these headers can significantly reduce message size and so
> improve performance.

This seems like premature optimization to me.  Do you have benchmarks
that show this has any impact on page load time (or any other metric
you think is interesting)?

[... Requiring uniform responses to redirects ...]
> It's a good thing to question, since this feature is a
> relaxation of the model, but it seems valuable and without risk. Can
> you think of a danger here?

Here's an obscure risk:

1) An enterprise (example.com) has a partially open redirector
(go.corp.example.com) behind their firewall
2) The redirector will only redirect to *.example.com
3) There is a public site api.example.com that opts into UMP

Now the attacker can probe go.corp.example.com by asking for redirects
to api.example.com and reading back the response.  This is especially
problematic if the redirector attaches interesting bits to the URLs it
directs (like API keys).  This attack is not possible with the <form>
element.

Adam
Received on Friday, 8 January 2010 23:57:14 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT