W3C home > Mailing lists > Public > www-tag@w3.org > June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Sun, 7 Jun 2009 12:17:41 -0700
Message-ID: <7789133a0906071217p1933f2e0vdb830b3965ed0ba5@mail.gmail.com>
To: "Mark S. Miller" <erights@google.com>
Cc: public-webapps <public-webapps@w3.org>, Arthur Barstow <art.barstow@nokia.com>, Thomas Roessler <tlr@w3.org>, Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>, Google Caja Discuss <google-caja-discuss@googlegroups.com>, Douglas Crockford <douglas@crockford.com>, Tyler Close <tyler@waterken.com>, Collin Jackson <collinj@cs.stanford.edu>, Collin Jackson <collin.jackson@gmail.com>, David Wagner <daw@cs.berkeley.edu>, www-tag@w3.org
On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller <erights@google.com> wrote:
> [+www-tag]
>
> I have received several private responses to my post, but oddly, nothing
> public yet. In these responses, I have been asked most frequently about:

Sorry for the lag in public comments.

> On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erights@google.com> wrote:
> Since malicious machines, or malicious applications running on trusted
> machines, can sent messages that aren't self-identified as cross origin, why
> do I suggest that lack of an origin header (in the absence of other
> credentials) might lead a server into granting more access than it would for
> messages self-identified as "Origin: null"?
>
> For servers reachable from the open internet, such server behavior would
> indeed be nonsensical. However, many servers are behind corporate firewalls
> and not reachable from the open internet. The premise firewalls rely on,
> whether sensible or not, is that all software running behind that firewall
> that can send arbitrary network messages are not malicious. Under this
> assumptions, browsers behind the firewall are assumed not to be malicious
> themselves, but of course may be running malicious scripts associated only
> with origins outside the firewall. These can of course cause their browser
> to initiate network messages to severs within the firewall, but only
> messages identified with browser-imposed headers. For messages not
> identified as cross origin, a server can assume that either the initiating
> program is non-malicious (because it is associated with the server's
> behind-the-firewall origin) or that the initiating program will not receive
> the results of the request.

This seems like a lot of speculation.  Do you have any evidence to
support this hypothesis?

> Under these admittedly fragile (but common) assumptions, a server may indeed
> "trust" a message that doesn't identify itself as cross origin more than it
> "trusts" one that does. Thus, a non malicious script that doesn't wish the
> sanitized scripts it loads to "speak for it" should force all the messages
> they initiate to be identified as "Origin: null".

If this were the case, we'd have this same problem with Referer,
postMessage, Origin-for-CORS, and numerous other web technologies.

Adam
Received on Sunday, 7 June 2009 19:18:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:14 GMT