Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

Jon Ferraiolo wrote:
 > wrote on 05/15/2008 08:42:42 AM:
 > > Jon Ferraiolo wrote:
 > > > <jonas>
 > > > I don't understand at all what you are proposing. If we allow the
 > > > client to always POST cross domain the damage is already done and
 > > > we have lost already....JSONRequest always allows cross-site
 > > > POSTs, I.e. it always allows the thing we are trying to prevent.
 > > > </jonas>
 > > >
 > > > JSONRequest requires that a server make explicit changes in order
 > > > to opt-in to enabling cross-site requests (GET or POST). From the
 > > > JSONRequest spec (
 > > >
 > > > 3. Reponses will be rejected unless they contain a JSONRequest
 > > > content type. This makes it impossible to use JSONRequest to
 > > > obtain data from insecure legacy servers.
 > >
 > > Yes, JSONRequest makes the assumption that POSTing data cross site
 > > is safe as long as the posted data is of type
 > > application/jsonrequest. This is an assumption that I personally as
 > > well as mozilla feel very uncomfortable with.
 > Why uncomfortable? Is it because JSONRequest only supports JSON?

No, because performing cross-site POSTs before asking the receiving 
server first has lead to lots of CSRF problems in the past. This might 
be even worse if other methods, such as PUT and DELETE, are used. I'd 
much prefer the server was asked before making such a request.

 > (4) Improves incrementally from common practice today for
 > cross-site requests, where today dynamic SCRIPT elements pull JSON
 > data down from servers. But it isn't perfect.

The fact that cross site <script> works today is really scary for many 
reasons. It's something that I really hope we can figure out a way to 
limit in the future.

So it's definitely not a security model I want to build future security 
architecture on.

 > > This become even more of a problem if you want to scale up the
 > > JSONRequest spec to support other data types than JSON objects
 > > (something which is in the AC requirements).
 > >
 > > That said, if you really think that it is possible to create a
 > > security model based on JSONRequest which supports the requirements
 > > listed in the AC spec, I look forward to such a proposal.
 > Actually, even if there were no AC activity, I wouldn't expect the W3C
 > to rubberstamp JSONRequest for two main reasons: (1) No XML support in
 > JSONRequest, (2) There are probably various other improvements that
 > would be needed to address requirements.
 > But in my opinion JSONRequest or XDR would be good starting points for
 > cross-site request technology that would have the right security
 > characteristics and meet the requirements.

The fact that JSONRequest is only able to transfer JSON data seems to be 
an center part of its security model. Especially when it comes to 
protecting data behind firewalls.

However, as I said, would be interested to see a proposal based on 
JSONRequest. I would like to see that before getting the whole group 
together in an effort to build something based on JSONRequest, since I'm 
not convinced it is feasible.

/ Jonas

Received on Thursday, 15 May 2008 20:52:09 UTC