- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 8 Jan 2010 15:56:06 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Fri, Jan 8, 2010 at 3:36 PM, Tyler Close <tyler.close@gmail.com> wrote: > There are two uses for this requirement: > 1. On browsers that don't yet support any cross-domain API, it would > be nice to emulate support by routing the request through the > requestor's Origin server. To help ensure the response is the same > whether it was sent directly from the user agent or via the Origin > server, we omit any information about the sending software. If this is an important consideration, then the server software can just copy the relevant headers. I'm not sure there's a good security case to be made here for deviating from standard operating procedure. It seems quite sensible to send an Accept header of */* instead of omitting the header. > 2. Omitting these headers can significantly reduce message size and so > improve performance. This seems like premature optimization to me. Do you have benchmarks that show this has any impact on page load time (or any other metric you think is interesting)? [... Requiring uniform responses to redirects ...] > It's a good thing to question, since this feature is a > relaxation of the model, but it seems valuable and without risk. Can > you think of a danger here? Here's an obscure risk: 1) An enterprise (example.com) has a partially open redirector (go.corp.example.com) behind their firewall 2) The redirector will only redirect to *.example.com 3) There is a public site api.example.com that opts into UMP Now the attacker can probe go.corp.example.com by asking for redirects to api.example.com and reading back the response. This is especially problematic if the redirector attaches interesting bits to the URLs it directs (like API keys). This attack is not possible with the <form> element. Adam
Received on Friday, 8 January 2010 23:57:14 UTC