Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility) from Mark S. Miller on 2009-06-06 (www-tag@w3.org from June 2009)

From: Mark S. Miller <erights@google.com>
Date: Fri, 5 Jun 2009 21:42:21 -0700
To: public-webapps <public-webapps@w3.org>, Arthur Barstow <art.barstow@nokia.com>
Cc: Thomas Roessler <tlr@w3.org>, Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>, Google Caja Discuss <google-caja-discuss@googlegroups.com>, Douglas Crockford <douglas@crockford.com>, Tyler Close <tyler@waterken.com>, Collin Jackson <collinj@cs.stanford.edu>, Collin Jackson <collin.jackson@gmail.com>, Adam Barth <abarth@cs.stanford.edu>, Adam Barth <adam@adambarth.com>, David Wagner <daw@cs.berkeley.edu>, www-tag@w3.org
Message-ID: <4d2fac900906052142p5e650246if6d253beb4d3e275@mail.gmail.com>

[+www-tag]

I have received several private responses to my post, but oddly, nothing
public yet. In these responses, I have been asked most frequently about:

On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erights@google.com> wrote:

> Why identify even same origin requests as cross-origin? Given that all
> cross-origin requests are identified as such, then even without the normal
> credentials, the mere absence of an origin header identifies the
> requestor as being from the same origin. This is in fact a form of
> credential. If the containing page does not consider the script in
> question to speak for it, then it shouldn't be allowed to implicitly
> claim (by the absence of an origin header) to be from the same origin.
>

Since malicious machines, or malicious applications running on trusted
machines, can sent messages that aren't self-identified as cross origin, why
do I suggest that lack of an origin header (in the absence of other
credentials) might lead a server into granting more access than it would for
messages self-identified as "Origin: null"?

For servers reachable from the open internet, such server behavior would
indeed be nonsensical. However, many servers are behind corporate firewalls
and not reachable from the open internet. The premise firewalls rely on,
whether sensible or not, is that all software running behind that firewall
that can send arbitrary network messages are not malicious. Under this
assumptions, browsers behind the firewall are assumed not to be malicious
themselves, but of course may be running malicious scripts associated only
with origins outside the firewall. These can of course cause their browser
to initiate network messages to severs within the firewall, but only
messages identified with browser-imposed headers. For messages not
identified as cross origin, a server can assume that either the initiating
program is non-malicious (because it is associated with the server's
behind-the-firewall origin) or that the initiating program will not receive
the results of the request.

Under these admittedly fragile (but common) assumptions, a server may indeed
"trust" a message that doesn't identify itself as cross origin more than it
"trusts" one that does. Thus, a non malicious script that doesn't wish the
sanitized scripts it loads to "speak for it" should force all the messages
they initiate to be identified as "Origin: null".

-- 
   Cheers,
   --MarkM

Received on Saturday, 6 June 2009 04:43:04 UTC