[AC] URI canonicalization problem with Access-Control-Policy-Path

Hi folks,

Mozilla has received input that some servers canonicalize URIs in ways
that are incompatible with rfc2396. This can lead to security issues
with the Access-Control-Policy-Path header. Consider the following:

A server uses the following uri space to serve a number of cross-site
http-based APIs:


The server wants all resources under this uri-space to be accessible for
cross-site POSTs. So for the preflight OPTIONS request to this uri it 

Access-Control: allow <*>
Access-Control-Policy-Path: /apis
Access-Control-Max-Age: 36000

This means that the UA will not do any more preflight requests for any 
uri under "/apis".

However, apparently there are servers out there that canonicalize URIs 
differently from rfc2396 by treating "\" characters as path separators. 
An attacker can use this to attack a server configured as above.

It first sends a POST to "/apis", this makes the UA cache the above 
policy for 10h. It then sends a POST to "/apis/..\admin.cgi"

To a UA it looks like this is a POST to the file "..\admin.cgi" in the 
"apis" directory. However there are apparently servers out there that 
will canonicalize the above to /admin.cgi and thus treat it as a POST to 
that URI, which may not be safe.

Not really sure how to fix this short of disabling the whole 
Access-Control-Policy-Path feature. Especially if we assume that there 
are other canonicalization behaviors out there as well.

If anyone has more info on this issue we would very much appreciate 
that. Apparently this has come up in connection with the flash policy 
file in the past.

/ Jonas

Received on Wednesday, 14 May 2008 21:47:51 UTC