- From: Adam Barth <w3c@adambarth.com>
- Date: Sun, 7 Jun 2009 12:17:41 -0700
- To: "Mark S. Miller" <erights@google.com>
- Cc: public-webapps <public-webapps@w3.org>, Arthur Barstow <art.barstow@nokia.com>, Thomas Roessler <tlr@w3.org>, Tyler Close <tyler.close@gmail.com>, Jonas Sicking <jonas@sicking.cc>, "General discussions concerning capability systems." <cap-talk@mail.eros-os.org>, Google Caja Discuss <google-caja-discuss@googlegroups.com>, Douglas Crockford <douglas@crockford.com>, Tyler Close <tyler@waterken.com>, Collin Jackson <collinj@cs.stanford.edu>, Collin Jackson <collin.jackson@gmail.com>, David Wagner <daw@cs.berkeley.edu>, www-tag@w3.org
On Fri, Jun 5, 2009 at 9:42 PM, Mark S. Miller <erights@google.com> wrote: > [+www-tag] > > I have received several private responses to my post, but oddly, nothing > public yet. In these responses, I have been asked most frequently about: Sorry for the lag in public comments. > On Wed, Jun 3, 2009 at 4:21 PM, Mark S. Miller <erights@google.com> wrote: > Since malicious machines, or malicious applications running on trusted > machines, can sent messages that aren't self-identified as cross origin, why > do I suggest that lack of an origin header (in the absence of other > credentials) might lead a server into granting more access than it would for > messages self-identified as "Origin: null"? > > For servers reachable from the open internet, such server behavior would > indeed be nonsensical. However, many servers are behind corporate firewalls > and not reachable from the open internet. The premise firewalls rely on, > whether sensible or not, is that all software running behind that firewall > that can send arbitrary network messages are not malicious. Under this > assumptions, browsers behind the firewall are assumed not to be malicious > themselves, but of course may be running malicious scripts associated only > with origins outside the firewall. These can of course cause their browser > to initiate network messages to severs within the firewall, but only > messages identified with browser-imposed headers. For messages not > identified as cross origin, a server can assume that either the initiating > program is non-malicious (because it is associated with the server's > behind-the-firewall origin) or that the initiating program will not receive > the results of the request. This seems like a lot of speculation. Do you have any evidence to support this hypothesis? > Under these admittedly fragile (but common) assumptions, a server may indeed > "trust" a message that doesn't identify itself as cross origin more than it > "trusts" one that does. Thus, a non malicious script that doesn't wish the > sanitized scripts it loads to "speak for it" should force all the messages > they initiate to be identified as "Origin: null". If this were the case, we'd have this same problem with Referer, postMessage, Origin-for-CORS, and numerous other web technologies. Adam
Received on Sunday, 7 June 2009 19:18:39 UTC