Re: CSR and Mozilla - Clarifying HTTP Header Filtering from Jon Ferraiolo on 2008-02-19 (public-appformats@w3.org from February 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Tue, 19 Feb 2008 07:11:00 -0800
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "Mark Baker" <distobj@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, "John Panzer" <jpanzer@acm.org>, "mike amundsen" <mamund@yahoo.com>, public-appformats@w3.org, public-appformats-request@w3.org
Message-ID: <OFF9199BB2.DC88F574-ON882573F4.0052E527-882573F4.00536790@us.ibm.com>

If you are going to consider requiring a preflight request where the server
has to explicitly opt-in to custom headers before custom headers will be
sent, how about requiring a preflight request where the server has to
explicitly opt-in to cookies before cookies will be sent? That would help
address the accountability issue that has been discussed recently.

Jon



                                                                           
             "Anne van                                                     
             Kesteren"                                                     
             <annevk@opera.com                                          To 
             >                         "Mark Baker" <distobj@acm.org>      
             Sent by:                                                   cc 
             public-appformats         "mike amundsen" <mamund@yahoo.com>, 
             -request@w3.org           "John Panzer" <jpanzer@acm.org>,    
                                       "Jonas Sicking" <jonas@sicking.cc>, 
                                       public-appformats@w3.org            
             02/19/2008 06:56                                      Subject 
             AM                        Re: CSR and Mozilla - Clarifying    
                                       HTTP Header Filtering               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





On Tue, 19 Feb 2008 15:33:02 +0100, Mark Baker <distobj@acm.org> wrote:
> On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote:
>> On Tue, 19 Feb 2008 05:21:12 +0100, Mark Baker <distobj@acm.org> wrote:
>> > http://lists.w3.org/Archives/Public/public-webapi/2006May/0008.html
>>
>> No, these are completely different cases. What you're referring to is ok
>> for same-origin requests and is what the same-origin requests still
>> allow.
>> Non same-origin requests probably require a different policy though.
>
> I think it's the same case.  The issue in both cases is that the
> script should always be subordinate to the user agent whose job it is
> to ensure that the messages it sends are valid HTTP messages that
> don't misrepresent either the user or its own capabilities.

The issue is that cross-site requests that are possible today for GET do
not involve arbitrary headers made up by the author. Therefore servers
could be vulnerable to cross-site GET requests that do have arbitrary
headers set. This is a new attack vector and has nothing to do with the
same-origin blacklist.

Having said that, Henri Sivonen suggested that for cross-site GET requests

where the author has provided new headers the preflight OPTIONS could also

be performed. You'd basically get

   if method == GET && !authorHeaders:
      crossSiteRequest()
   else:
      crossSiteRequestWithPreflight()


--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic14686.gif
image/gif attachment: ecblank.gif

Received on Tuesday, 19 February 2008 15:13:36 UTC