Re: Same Origin Policy and HTTP Authentication from Mark Nottingham on 2010-12-06 (ietf-http-wg@w3.org from October to December 2010)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 7 Dec 2010 10:53:35 +1100
To: Chirag Shah <chiragshah1@gmail.com>
Cc: ietf-http-wg@w3.org
Message-Id: <19BC3924-2E41-43D3-84B7-1D31A528CCD7@mnot.net>

Chirag,

Changing how HTTP authentication works is explicitly out of scope for this WG, although you will likely find people willing to discuss it here.

Although there are a number of places that might be appropriate for this discussion, it might actually be most helpful for you to give this as feedback to the W3C CORS specification:

  http://www.w3.org/TR/cors/

... as they're discussing what is effectively a policy mechanism for cross-site requests.

Kind regards,


On 06/12/2010, at 5:43 AM, Chirag Shah wrote:

> Hey httpbis,
> 
> Cross Site HTTP Authentication seems is an obscure phishing vector
> that’s often overlooked across the web and sometimes difficult to
> workaround. When the WWW-Authenticate header is presented to a
> user-agent, it will prompt the user for a user name and password .
> 
> This is a problem because when a webpage is loaded, any external
> resource requested by that page can request HTTP Authentication and
> trigger this dialog. At this point, it isn't entirely obvious that the
> user name/password is being sent to the external resource.
> 
> One way to address this issue is by disallowing HTTP Authentication
> for external resources loaded by a webpage by following a variant of
> the same-origin-policy.
> 
> Proposed change in user agent behavior:
> When the page http://good.com/resource is rendered, the following
> table outlines how external resources (requiring Authentication) could
> be treated.
> 
> http://evil.com/auth.png           -      Auth Failure - Different domain
> http://good.com/auth.png        -      Auth Success - Same domain
> ws://good.com/secure.htm     -     Auth Failure Different protocol
> http://good.com:99/auth.png   -      Auth Failure - Different port
> http://1.good.com/auth.png     -      Auth Failure - Different host
> 
> Does it make sense to update RFC 2617 to account for this issue?
> 
> 
> References:
> Cross Site HTTP Authentication:
> http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth
> HTTP Authentication: http://www.ietf.org/rfc/rfc2617.txt
> The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06
> 
> 
> Thank you,
> Chirag Shah - http://chiarg.com
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Monday, 6 December 2010 23:54:08 UTC