W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

RE: ISSUE 19: Requirements and Usage Scenarios document

From: David Orchard <dorchard@bea.com>
Date: Tue, 15 Jan 2008 10:00:39 -0800
Message-ID: <BEBB9CBE66B372469E93FFDE3EDC493E0145332F@repbex01.amer.bea.com>
To: "Jon Ferraiolo" <jferrai@us.ibm.com>
Cc: "Anne van Kesteren" <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>, <public-appformats-request@w3.org>
I thought from your note that this was opening up a new attack vector
but that was acceptable because the functionality that results in the
vector is so desirable.
 
Cheers,
Dave


________________________________

	From: Jon Ferraiolo [mailto:jferrai@us.ibm.com] 
	Sent: Tuesday, January 15, 2008 9:46 AM
	To: David Orchard
	Cc: Anne van Kesteren; WAF WG (public);
public-appformats-request@w3.org
	Subject: RE: ISSUE 19: Requirements and Usage Scenarios document
	
	

	David,
	Wouldn't it be simpler to just say "no new attack vectors"
rather than attempt to find wording that says "aren't already
similar..."? If it's a new attack vector, I don't think it matters
whether it is similar to something that already exists.
	
	Jon
	
	
	 "David Orchard" <dorchard@bea.com>
	
	
	

				"David Orchard" <dorchard@bea.com> 
				Sent by:
public-appformats-request@w3.org 

				01/15/2008 08:44 AM

 

To

"Anne van Kesteren" <annevk@opera.com>, Jon Ferraiolo/Menlo
Park/IBM@IBMUS	


cc

"WAF WG (public)" <public-appformats@w3.org>	


Subject

RE: ISSUE 19: Requirements and Usage Scenarios document	
	 	

	
	Anne,
	
	If Cookies would be sent as part of more requests because of
deployment
	of the Access Control spec, then isn't this spec opening a new
attack
	vector?  I understand your point that cookies are already sent
under
	img, script and form, but this is something newer and in
addition to
	those.  I think one of the rough requirements we have is no new
attack
	vectors.  Now maybe that requirement ought to be something like
"no new
	attack vectors that aren't already similar to current attack
vectors
	such as cookies under img, script and form".  
	
	Cheers,
	Dave 
	
	> -----Original Message-----
	> From: public-appformats-request@w3.org 
	> [mailto:public-appformats-request@w3.org] On Behalf Of Anne 
	> van Kesteren
	> Sent: Tuesday, January 15, 2008 7:53 AM
	> To: Jon Ferraiolo
	> Cc: WAF WG (public)
	> Subject: Re: ISSUE 19: Requirements and Usage Scenarios
document
	> 
	> 
	> On Tue, 15 Jan 2008 15:20:46 +0100, Jon Ferraiolo
<jferrai@us.ibm.com>
	> wrote:
	> > I described a CSRF scenario in
	> > 
	> http://lists.w3.org/Archives/Public/public-appformats/2008Jan/
	0072.html.
	> > Search for the word "attack". My example attack vector
depends on 
	> > cookies being sent as part of the cross-site request and 
	> assumes that 
	> > the simplicity of using Access Control would result is
widespread 
	> > adoption by a new generation of unsophisticated web service 
	> developers 
	> > who will open up their APIs to mashup applications without 
	> > understanding the consequences.
	> > Note that the big CSRF worry here is that cookies are sent
with the 
	> > requests.
	> 
	> Cookies are already sent for <img>, <script>, and <form> 
	> requests. Nothing new. If people mindless opt in we have 
	> might have a problem (though it's really the people that opt 
	> in that do), but I would expect that dalmationlovers.invalid 
	> & co are using some off the shelf software.
	> 
	> 
	> --
	> Anne van Kesteren
	> <http://annevankesteren.nl/>
	> <http://www.opera.com/>
	> 
	> 
	
	
	


graycol.gif
(image/gif attachment: graycol.gif)

ecblank.gif
(image/gif attachment: ecblank.gif)

Received on Tuesday, 15 January 2008 18:02:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC