[AC] Deviations due to security policies from Jonas Sicking on 2008-07-09 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 09 Jul 2008 10:39:52 -0700
To: Webapps WG <public-webapps@w3.org>
Message-ID: <4874F7E8.7070108@sicking.cc>

Hi folks,

As requested (at least by myself :)) here is the list of things where 
security policies in firefox might be "overriding" what the spec 
currently says:

1. Cookies
For some requests we might not send cookies depending on user 
preferences and user choices. For example one setting we have allows the 
user to be asked for each cross-site request weather cookies should be 
included in the request or not. So each request might behave differently 
depending on what the user chooses.

This currently only applies to cookies and not other authentication 
mechanisms. However it's possible that it will apply to other mechanisms 
in the future.

2. Banning certain servers
I think we have extensions that cause all connections to certain servers 
to always fail.

3. Banning internet to intranet connections
Hopefully in the future we will implement a policy that allows servers 
from the internet to connect to private IP ranges such as 192.168.x.x. 
This will apply to all types of requests which includes AC requests.

Similarly, I would expect microsoft to want to apply their zone features 
to prevent sites from some zones to connect to sites from some other zones.

4. Banning connections to local file system
This doesn't really apply any more since we no longer have the 
processing instruction. But firefox has a general policy not to allow 
web sites to access resources from the local file system. This policy 
will apply to Access-Control connections as well. Especially if we in 
the future add something like the PI.

5. Banning HTTPS to HTTP connections
I'm not sure if we have policies about this right now, but I know we 
will in the future. Under certain conditions we will deny a HTTPS site 
from connecting to any HTTP sites, or possibly even any site that uses a 
different certificate than the original site.

(2,3,4,5 can be simlified as saying that we might by policy deny some 
requests, even if the spec would otherwise allow it)

6. Banning certain headers
This might not apply to the AC spec any more if we have (or will) remove 
the header blacklist. But it's possible that in the future we'll 
discover other headers that should be blacklisted, even if the site opts 
in to supporting it.

7. Cache eviction
As we talked about a lot at the F2F we'll likely in certain cases evict 
things from the OPTSIONS cache even before the spec says to do so.


These are the things that I can think of off the top of my head. It's 
entirely possible that there is more though.

/ Jonas

Received on Wednesday, 9 July 2008 17:40:58 UTC