Re: Proposal for a way to avoid a round-trip on every POST when dealing with large numbers of URIs from Jonas Sicking on 2008-02-07 (public-appformats@w3.org from February 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 06 Feb 2008 18:26:32 -0800
To: Ian Hickson <ian@hixie.ch>
CC: public-appformats@w3.org
Message-ID: <47AA6C58.80902@sicking.cc>

Ian Hickson wrote:
> On Tue, 5 Feb 2008, Jonas Sicking wrote:
>> It introduces ordering issues. Consider the following setup; A server 
>> contains two resources, /dir/A and /dir/B, and returns the following 
>> replies to OPTIONS requests:
>>
>> /dir/
>> Access-Control:allow <*> method POST
>> Method-Check-Policy-Path: /dir/
>> Method-Check-Max-Age:3600
>>
>> /dir/A
>> Access-Control:allow <*> method POST
>> Method-Check-Policy-Path: /dir/
>> Method-Check-Max-Age:3600
>>
>> /dir/B
>> Access-Control:deny <*> method POST
>> Method-Check-Max-Age:3600
>>
>>
>> If a UA now accesses resource A it would do OPTIONS requests to /dir/A 
>> and then /dir/ and result in "allow <*> method POST" being cached as the 
>> policy for all resources under /dir/.
>>
>> If the UA then tries to do a POST to resource B this would be performed 
>> without any OPTIONS requests. I.e. the POST to B would be successful.
>>
>> However if the UA first tries to do a POST to resource B, the UA would 
>> first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B 
>> would be unsuccessful.
> 
> I think this will make debugging a pain, for sure, but I don't think it's 
> a security problem. It's just a configuration issue.

It is a security problem if the POST have side-effects, which is very 
likely to be the case and the reason we have the OPTIONS request at all.

But yes, it's not a problem in the spec per se. It's a problem in the 
way the server was configured. However I do think that adding this 
functionality makes it easier to misconfigure servers.

> I can't see a clear way of avoiding it, though.

I don't think there is one as long as we are intent on allowing access 
policies to be set in multiple places (i.e. both on the resource and on 
any parent directory).

> (Note also that if you access A then B, that even though B would then get 
> a POST, it wouldn't leak the data to the requesting Web page. The "deny" 
> would still take effect on the response.)
> 
> 
>> The current proposal means that someone that can control the responses 
>> to a given directory can effectively control the ability to do perform 
>> unsafe cross-site requests to any URI under that directory.
> 
> Yes, that's the assumption for the proposal. :-) Is it not a safe 
> assumption?

I don't know. :(

/ Jonas

Received on Thursday, 7 February 2008 02:28:45 UTC