W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 12:27:15 -0800
Message-ID: <7789133a0902111227r5f74ea41y258b704ada2fdcd2@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>

That would cause interoperability problems where user agents that care
about security would be incompatible with sites implemented with
insecure user agents in mind.  Based on past history, this leads to a
race to the bottom where no user agents can be both popular and
secure.


On Wed, Feb 11, 2009 at 11:46 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> How about clearly identifying the threat in the spec instead of making this
> a requirement?
>
> EHL
>
>
> On 2/11/09 10:14 AM, "Adam Barth" <w3c@adambarth.com> wrote:
>
> On Tue, Feb 10, 2009 at 11:51 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>>> In particular, you should require that
>>> the host-meta file should be served with a specific mime type (ignore
>>> the response if the mime type is wrong.  This protects servers that
>>> let users upload content from having attackers upload a bogus
>>> host-meta file.
>>
>> I am not sure the value added in security (which I find hard to buy) is
>> worth excluding many
>> hosting solutions where people not always have access to setting
>> content-type headers.
>> After all, focusing on an HTTP GET based solution was based on getting the
>> most
>> accessible approach.
>
> Adobe found the security case compelling enough to break backwards
> compatibility in their crossdomain.xml policy file system to enforce
> this requirement.  Most serious Web sites opt-in to requiring an
> explicit Content-Type.  For example,
>
> $ wget http://mail.google.com/crossdomain.xml --save-headers
> $ cat crossdomain.xml
> HTTP/1.0 200 OK
> Content-Type: text/x-cross-domain-policy
> Last-Modified: Tue, 04 Mar 2008 21:38:05 GMT
> Set-Cookie: ***REDACTED***
> Date: Wed, 11 Feb 2009 18:07:40 GMT
> Server: gws
> Cache-Control: private, x-gzip-ok=""
> Expires: Wed, 11 Feb 2009 18:07:40 GMT
>
> <?xml version="1.0"?>
> <!DOCTYPE cross-domain-policy SYSTEM
> "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
> <cross-domain-policy>
>   <site-control permitted-cross-domain-policies="by-content-type" />
> </cross-domain-policy>
>
> Google Gears has also recently issued a security patch enforcing the
> same Content-Type checks to protect their users from similar attacks.
>
>>> Also, if you want this feature to be useful for Web browsers, you
>>> should align the scope of the host-meta file with the notion or origin
>>> (not authority).
>>
>> The scope is host/port/protocol. The protocol is not said explicitly but
>> is very much implied.
>> I'll leave it up to Mark to address wordings. As for the term 'origin', I
>> rather do anything but
>> get involved with another term at this point.
>
> I'd greatly prefer that is this was stated explicitly.  Why leave such
> a critical security requirement implied?
>
> Adam
>
>
Received on Wednesday, 11 February 2009 20:27:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT