RE: Comments on: Access Control for Cross-site Requests

Hi Tyler,
I think you misunderstood me a bit. When I submitted my prolist of MUSTs
and SHOULDs, I was just showing some examples of how the requirements might
look, not attempting to actually provide a real list of requirements. I'm
too lazy for that! The working group are the ones to do the work to hammer
our the MUSTs and SHOULDs if they are so motivated and have the time.

But regarding whether it is OK for Access Control to broaden the attack
surface question, that's obviously a tricky issue. The Access Control spec
allows cross-site data access which was not possible previously, so
therefore it almost certainly has to broaden the attack surface since it is
allowing data access that was not possible before. Therefore, my sample
requirement (MUST NOT broaden attack surface) is too simplistic. Perhaps
MUST NOT broaden attack surface except as necessary to deliver the
necessary features.


             "Close, Tyler J."                                             
             om>                                                        To 
                                       Jon Ferraiolo/Menlo Park/IBM@IBMUS, 
             01/03/2008 09:50          Anne van Kesteren                   
             AM                        <>                  
                                       Ian Hickson <>, Mark    
                                       Nottingham <>,    
                                       RE: Comments on: Access Control for 
                                       Cross-site Requests                 

Hi Jon,

Jon Ferraiolo wrote:
> * The Access Control mechanism MUST not broaden the attack
> surface for hackers, particularly with regard to CSRF

Could you elaborate a bit on this contraint? For example, one
interpretation might be that the currently proposed mechanism violates this
constraint since any cookies or HTTP Auth credentials the user may have are
included in the request sent to the server (the opposite of what's done in
the JSONRequest proposal). In essense, the current proposal is one for
determining the set of hosts that are allowed to issue CSRF requests, which
is a broadening of the CSRF attack surface.

On a related note, I'm uncomfortable with the use of the term
access-control in this specification and discussion, since the discussed
mechanism doesn't actually control access. For example, it is not a
replacement for whatever mechanism a server is currently using to determine
whether or not to process a received request. You can't add an XML PI to
your document and say: "Good, that takes care of access-control!" The
current naming of elements, headers and discussion terminology might lead
one to believe so.


[1] "Access Control for Cross-site Requests"

Received on Thursday, 3 January 2008 18:35:19 UTC