W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2010

Re: [UMP] Feedback on UMP from a quick read

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 9 Jan 2010 10:20:04 -0800
Message-ID: <7789133a1001091020l30e4cce0v4fd5a8b5241b322c@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close <tyler.close@gmail.com> wrote:
> If the response can be parsed as ECMAScript, an attacker can break
> confidentiality by loading the document using a <script> tag.

As Maciej says, just because the server can screw up it's
confidentiality doesn't means we should prevent servers from doing the
secure thing.  By this argument, we should remove the same-origin
policy entirely because some sites might have XSS vulnerabilities.

> Also,
> for any media-type, the attacker can mount a clickjacking attack
> against this design.

ClickJacking is an integrity attack.  I'm worried about confidentiality.

> Since in general this design cannot be made safe,
> I think it's better to not support it at all in the security model, by
> allowing a uniform request to follow a non-uniform redirect. A
> security model that works for some media-types but not others is just
> too bizarre to explain to developers.

That's the security model we have.  For example, it's safe to return
untrusted HTML tags with certain media types but not with others.

> This choice doesn't endanger
> existing resources, since CORS also allows a cross-origin request to
> follow a redirect that has not opted out of the Same Origin Policy.

I'm glad you consider CORS to be the epitome of a secure design.  :)

(As Maciej says, CORS doesn't appear to have this hole.)

Adam
Received on Saturday, 9 January 2010 18:21:05 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:36 GMT