W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 10:26:38 -0800
Message-ID: <7789133a0902111026wf0e424dr6f6f0c40abe5125d@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>

On Wed, Feb 11, 2009 at 10:14 AM, Adam Barth <w3c@adambarth.com> wrote:
> Adobe found the security case compelling enough to break backwards
> compatibility in their crossdomain.xml policy file system to enforce
> this requirement.  Most serious Web sites opt-in to requiring an
> explicit Content-Type.

By the way, here's the chart of the various security protections Adobe
added to crossdomain.xml and which version they first appeared in:

http://www.adobe.com/devnet/flashplayer/articles/fplayer9-10_security.html

There is another one I forgot:

You need to restrict the scope of a host-meta file to a specific IP
address.  For example, if suppose you retrieve
http://example.com/host-meta from 123.123.123.123.  Now, you shouldn't
apply the information you get from that host-meta file to content
retrieved from 34.34.34.34.  You need to fetch another host-meta file
from that IP address.  If you don't do that, the host-meta file will
be vulnerable to DNS Rebinding.  For an explanation of how this caused
problems for crossdomain.xml, see:

http://www.adambarth.com/papers/2007/jackson-barth-bortz-shao-boneh.pdf

Sadly, this makes life much more complicated for implementers.  (Maybe
now you begin to see why this draft scares me.)

Adam
Received on Wednesday, 11 February 2009 18:27:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT