Limiting requests from the internet to the intranet. from Mike West on 2016-01-04 (public-webappsec@w3.org from January 2016)

From: Mike West <mkwst@google.com>
Date: Mon, 4 Jan 2016 14:10:49 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>
Message-ID: <CAKXHy=cA43ocfE8q8T2pp-=0m3z+poVxAZnVjikk4rX+9xb7UA@mail.gmail.com>

Happy new year, WebAppSec! This seems like a lovely time to rekindle the
fire under the public/private origin restriction that we removed from Mixed
Content way back in 2014 (
http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin).

I've put together a kinder, gentler take on hardening the user agent
against the kinds of attacks that such requests enable:
https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only
poked at it sporadically over the holidays, but I think there's enough
there to get a conversation going.

In a nutshell, the proposal is to require a CORS-preflight request for
requests initiated from the public internet which target private IP space.
This preflight requires an opt-in on the part of the intranet server via a
new CORS header, but doesn't block the requests entirely (which was a
failing of the initial proposal). I imagine this server-side opt-in being
combined in some intelligent way with a user-side opt-in (Presto-style
interstitial? permission request?), but I haven't explored anything in that
direction.

CCing a few folks who've commented on the topic in the past; I imagine
you'll have opinions. :)

-mike

Received on Monday, 4 January 2016 13:11:37 UTC