W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

RE: ISSUE-18: Is JSONRequest an acceptable alternative to the current model? [Access Control]

From: Close, Tyler J. <tyler.close@hp.com>
Date: Tue, 8 Jan 2008 17:31:52 +0000
To: Jonas Sicking <jonas@sicking.cc>, Jon Ferraiolo <jferrai@us.ibm.com>
CC: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <C7B67062D31B9E459128006BAAD0DC3D145A3889@G6W0269.americas.hpqcorp.net>



Jonas Sicking wrote:
> So if JSONRequest
> relies on the lack of cookies and auth credentials to protect the user
> or server, how are these firewalled servers protected?

For a GET request, the response's Content-Type MUST be "application/jsonrequest", a Media-Type that did not exist before the creation of the JSONRequest proposal. This Content-Type is therefore taken as an explicit acknowledgment that the resource knows it can be accessed cross-domain.

For a POST request, the request entity also has the Content-Type "application/jsonrequest", so if the resource is checking the Content-Type, it will think an unsupported Media-Type is being sent. If it does not check the Content-Type, it is still likely that it will not be able to parse the request entity, since it is probably expecting either an "application/x-www-form-urlencoded" entity or an XML entity, since JSON is a newer syntax.

Both of these protections are just last-line-of-defense to protect those services that don't do any permission checks at all and so rely on a firewall to keep out unauthorized requests. Since these resources are already completely vulnerable to CSRF (Cross-Site-Request-Forgery) attacks, these protections seem sufficient to retain any actual security the resources may currently have.

--Tyler
Received on Tuesday, 8 January 2008 17:32:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC