Re: Seeking Feedback on Capability URLs Draft from Colin Watson on 2014-05-27 (www-tag@w3.org from May 2014)

From: Colin Watson <colin@watsonhall.com>
Date: Tue, 27 May 2014 17:13:56 +0100
To: www-tag@w3.org
Cc: Daniel.Appelquist@telefonica.com
Message-ID: <20140527161356.519b229f@mail.watsonhall.com>

Daniel

Some suggestions:

4.2 Add "Some degree of identity authentication can also be used at the time of use, to ensure the capability URL is being used by the intended user. But in many cases this would negate the intended benefit."

5.1 Security measures... 
- In the second bullet point "Pages that inform..." add at the end " and should contain no unencrypted content."
- The third bullet point should be made into two since expiry and one-time use are separate properties, and both might be used: Make the first "Capability URLs should expire. For example, it may be suitable to have a capability URL that expires after two hours or a week and/or if another is re-issued.", and a new one "Capability URLs could be unusable after they have been use i.e. capability URL that can only be accessed once such as for a password reset."
- In the fourth bullet point "Pages accessed through a capability URL..." perhaps change to "...should not include links to, OR CONTENT FROM third-party..." and add after "to untrusted third-party scripts. ", ", and the page should have other no inter-site/host communication such as web messaging, or cross-origin resource sharing or web sockets."
- Add another bullet point "Do not include any information, encrypted, hashed, truncated or otherwise obfuscated in the capability URL. The URL is a pointer to an action pre-stored on the server.
- Maybe also "Page to have anti-caching headers, page to have NOINDEX meta tag, page to have a restrictive Content Security Policy HTTP header, page to have no XSS vulnerabilities"

Regards

Colin



---
From: Daniel Appelquist <Daniel.Appelquist@telefonica.com> 
Date: Fri, 23 May 2014 13:28:04 +0000
To: www-tag <www-tag@w3.org> 
Message-ID: <CFA50B73.43663%daniel.appelquist@telefonica.com> 
Hi folks - as discussed, I’ve made a blog post
http://www.w3.org/blog/TAG/2014/05/22/capability-urls-feedback/ seeking
some feedback on the Capability URLs draft. The goal here is to get some
more eyeballs looking at this and feeding back to us so we can finalize
this document and get it out the door as a finding by the July f2f. If you
can help spread the word on this it will help get more feedback which will
mean a better finding.

Thanks,
Dan

Received on Wednesday, 28 May 2014 08:21:47 UTC