Re: Referer URI MUST NOT include a fragment from Tyler Close on 2009-04-05 (ietf-http-wg@w3.org from April to June 2009)

From: Tyler Close <tyler.close@gmail.com>
Date: Sun, 5 Apr 2009 14:22:27 -0700
To: ietf-http-wg@w3.org
Cc: Vincent Murphy <vdm@vdm.ie>, Mark Miller <erights@gmail.com>
Message-ID: <5691356f0904051422t14fa4fb8qa35b84fe542eb85f@mail.gmail.com>

It looks like discussion of this proposal has died off, but I want to
record a strong objection in case it hasn't, or comes back.

The current restrictions on the Referer header are crucial to enabling
the use of capability-based security on the Web. A URL can be used as
a capability by including an unguessable secret. This secret ensures
that the corresponding resource can only be accessed by agents that
have been explicitly told the secret. The only viable way to implement
this in HTTP, is to put the secret in the fragment; otherwise, the
secret would leak to a referred to page when following a hyperlink. I
presented a paper describing this technique, and why it's good use of
web architecture, at W2SP 2008. The paper is at:

http://waterken.sourceforge.net/web-key/

Preserving this technique is important since capability-based security
is the only access-control model that works in multi-party systems
like the Web. Traditional ACLs cannot work in multi-party scenarios.
Manifestations of these flaws in the ACL model are widely known under
the terms clickjacking and CSRF, though not fully understood. For an
in depth explanation of the issues, see:

http://waterken.sourceforge.net/aclsdont/

If rationality alone is insufficient to carry the day, I'll also point
out that changing a widely implemented MUST requirement in the HTTP
spec would violate the charter for HTTPbis.

--Tyler

On Sat, Feb 14, 2009 at 9:40 AM, Vincent Murphy <vdm@vdm.ie> wrote:
> During a discussion [0] about why Youtube uses ?feature=related in its URIs,
> I observed that the Referer header URI, if it included a fragment
> identifier, could be used identify the anchor used to initiate a GET. This
> would be useful for
>
> - analysing anchor popularity,
> - eliminating the need for workarounds and hacks like Youtube
> ?feature=related
> - encourage cleaner, canonical URIs.
>
> I did a search of discussions around the HTTP protocol, but was not able to
> find the origin of the statement from RFC2616 Section 14.32 [1], paraphrased
> in the subject of this message. This statement is also in
> draft-ietf-httpbis-p2-semantics-05, section 10.6 [2].
>
> I seek links to the discussion or rationale and origin of this statement, or
> failing that, comments about how allowing fragment identifiers in Referer
> URIs would enhance or violate web architecture.
>
> Thanks,
> -Vincent Murphy
>
> 0.
> http://www.reddit.com/r/programming/comments/7x49v/canonical_url_tag_the_most_important_advancement/c07ne0v
> 1. http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36
> 2.
> http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p2-semantics-05.txt
>
>

Received on Sunday, 5 April 2009 21:23:07 UTC