Re: Simple approach for <access> from Thomas Roessler on 2009-04-16 (public-webapps@w3.org from April to June 2009)

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 16 Apr 2009 17:23:43 +0200
To: public-webapps@w3.org
Message-Id: <ABB9CB34-076B-413C-9C0C-4F6F0DC3AD17@w3.org>

Robin wrote:

> The <access> element is used to restrict a widget's access to a
> limited set of network resources. In the absence of an <access>
> element, all access to network resources is forbidden.
>
> The <access> element has a single @href attribute the content of which
> is an IRI-like string. The access opening that is specified by that
> string is defined as follows:
>
>   - the scheme component MUST be present, and access is granted only
> for that scheme; and
>   - the host component MUST be present. If it begins with "*." then
> the host that follows the "*." is granted access to, as well as all of
> its lower-level domains; otherwise access is only granted for that
> domain; and
>   - if the port component is absent, it is considered to be specified
> to be the default for the provided scheme. Access is granted only to
> that port; and
>   - if the path and query string component is present, then access is
> granted for any path and query string that starts with the specified
> string. It is treated as an opaque string, no attempt must be made to
> map to potential directories on the remote server; and
>   - if a fragment component is specified, it must be ignored.

Two questions:

1. How is the information in this access element going to be used at  
installation time or distribution time?  I'd like to see some spec  
text that explains this.

2. If one of the risks we're interested in is firewall traversal, then  
then proposed domain name wildcard has a somewhat different risk  
profile than just a single domain name:  while you can do a DNS  
rebinding attack for a single hostname, that's a well-known issue, and  
hopefully worked around in today's browser engines.  With the  
wildcard, though, it becomes relatively easy to do firewall  
traversal:  For example, one could simply generate DNS records  
n.n.n.n.example.com that point to the IP address n.n.n.n.

I wonder whether it might be useful to clearly distinguish the two  
cases (given the different risk profiles); I'd also like to see some  
discussion of this effect in the security considerations.

Thanks,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Thursday, 16 April 2009 15:23:56 UTC