- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 12 Feb 2008 04:40:18 +0000 (UTC)
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 12 Feb 2008, Close, Tyler J. wrote: > > +Framing the Referer+ > > For this scenario: > > resource host: acting faithfully > third-party script: not involved > user: acting dishonestly > > In this scenario, the user is the attacker and seeks to cause changes to > the resource that the resource host will blame on a third-party chosen > by the user. > > The user sends a request like: > > POST /spendMoney HTTP/1.1 > Host: honestBank.com > Referer-Root: https://honestBlogger.com > Cookie: "user's authentication tokens" > Content-Type: application/json > > { > "recipient": "identifier for user's accomplice", > "amount": "20 bucks" > } > > The user later claims he never consented to spending this money and > should be reimbursed by honestBlogger.com. The user's accomplice has > already absconded with the cash. The honestBank.com site can't know > whether the POST request was sent by a dishonest user, or by an honest > user defrauded by a dishonest script from honestBlogger.com (see the > next attack). Not including cookies or authentication information wouldn't help here, as you would just end up having to include authentication using some other mechanism. Not including the Referer-Root header wouldn't help either, since in this case the header isn't trustworthy in the first place. The correct way of implementing the above safely on the server side is to have the server (what you call the "third party" side) sign each request before sending it to what you call the "resource host". This is equivalent to what happens today on sites that want to seriously address XSRF risks -- they sign each request, and requests that aren't signed get rejected. Servers in such situations can ignore Referer headers altogether. However, that doesn't reduce the use of Referer and Referer-Root headers in the more general case. For example, if the same person runs both sites, they really do trust both sites, and can thus trust that if someone complains that host A is doing things on host B without their consent, it's really the user playing tricks. Since the only person the user can hurt in such cases is the user himself, it's fine. > +Robbing the user+ > > For this scenario: > > resource host: acting faithfully > third-party script: acting dishonestly > user: acting honestly > > In this scenario, the third party script seeks to cause changes to the > resource that the resource host will blame on the user. > > POST /spendMoney HTTP/1.1 > Host: honestBank.com > Referer-Root: https://honestBlogger.com > Cookie: "user's authentication tokens" > Content-Type: application/json > > { > "recipient": "honestBlogger's accomplice account", > "amount": "20 bucks" > } > > The script does so without ever consulting the user. The third-party > site is allowed to send cross-domain requests to the spendMoney > resource, but was only expected to do so with the consent of the user. > Most of the time, it asks for this consent, sometimes not. The > honestBank.com site can't know if the third-party script actually got > the user's consent. Again, not including cookies doesn't change this at all -- in fact it would make it worse, since it would require that what you call the third party script have the credentials in some reusable form, and thus such fake requests could then later be sent totally offline without the user's presence at all. Not sending the Referer-Root header here would make no difference, since the site is trusted anyway. The way to safely implement this here is for the server not to trust untrustworthy sites, and confirm requests independently (e.g. by sending an e-mail asking for confirmation, and rejecting transactions that don't get confirmed). If both sites truly are trusted, then this can't happen. (Note that many of the use cases for cross-site requests are actually all about things being done without the user's explicit consent.) In conclusion, I don't think the spec needs to change to address these problems, and I don't think any of the solutions you have proposed would actually address them. I would be happy to see the security section mention these risks though, and the ways to mitigate these risks, some of which I've listed above. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 12 February 2008 04:40:32 UTC