W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 16:52:05 -0800
Message-ID: <7789133a0902111652x536c1b71gbf052154b5b2f108@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>

On Wed, Feb 11, 2009 at 4:45 PM, Breno de Medeiros <breno@google.com> wrote:
> Ah, thought that you were still suggesting that this be a spec requirement.

I think that would be better, but I understand your concern about
limited hosting environments.  I suspect there is a clever solution
along the lines of what Silverlight is doing.

> What about browser-based applications using host-meta ...

Browser-based is a red herring.  This issue affects security-critical
server-to-server use cases as well.

For example, suppose someone uses host-meta to specify the URL to use
for a server-to-server authentication API:

GET /host-meta HTTP/1.1
Host: example.com:80
Content-Type: text/plain

Authentication-URL: https://foobar.com/authentication-api

If example.com is a Web server that lets an attacker upload a text
file named "host-meta" to the root directory (which is safe behavior
today), then the attacker has just hacked the server-to-server
authentication protocol.

Adam
Received on Thursday, 12 February 2009 00:52:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT