- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 14 May 2008 14:46:31 -0700
- To: "WAF WG (public)" <public-appformats@w3.org>
Hi folks, Mozilla has received input that some servers canonicalize URIs in ways that are incompatible with rfc2396. This can lead to security issues with the Access-Control-Policy-Path header. Consider the following: A server uses the following uri space to serve a number of cross-site http-based APIs: http://example.com/apis The server wants all resources under this uri-space to be accessible for cross-site POSTs. So for the preflight OPTIONS request to this uri it replies: Access-Control: allow <*> Access-Control-Policy-Path: /apis Access-Control-Max-Age: 36000 This means that the UA will not do any more preflight requests for any uri under "/apis". However, apparently there are servers out there that canonicalize URIs differently from rfc2396 by treating "\" characters as path separators. An attacker can use this to attack a server configured as above. It first sends a POST to "/apis", this makes the UA cache the above policy for 10h. It then sends a POST to "/apis/..\admin.cgi" To a UA it looks like this is a POST to the file "..\admin.cgi" in the "apis" directory. However there are apparently servers out there that will canonicalize the above to /admin.cgi and thus treat it as a POST to that URI, which may not be safe. Not really sure how to fix this short of disabling the whole Access-Control-Policy-Path feature. Especially if we assume that there are other canonicalization behaviors out there as well. If anyone has more info on this issue we would very much appreciate that. Apparently this has come up in connection with the flash policy file in the past. / Jonas
Received on Wednesday, 14 May 2008 21:47:51 UTC