Re: [cors] Review from Tyler Close on 2009-06-17 (public-webapps@w3.org from April to June 2009)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 17 Jun 2009 16:31:56 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
Message-ID: <5691356f0906171631i120e40f8nf6ea91c8ba6b72a5@mail.gmail.com>

On Wed, Jun 17, 2009 at 4:19 PM, Ian Hickson<ian@hixie.ch> wrote:
> On Wed, 17 Jun 2009, Tyler Close wrote:
>> >
>> > I believe we have such services at Google, though for obvious reasons
>> > I wouldn't want to elaborate on that.
>>
>> Wow, if you could just confirm their existence, that would do fine. So
>> this resource acts on PUT or DELETE, or POST of a Content-Type other
>> than "application/x-www-form-urlencoded" or "text/plain"? And it checks
>> the Content-Type header? And it doesn't require any user credentials at
>> all? Connectivity is good enough.
>
> What you describe here seems to differ from what you described previously.
> I don't feel comfortable talking about our internal services, though, so
> I'd rather not elaborate.

We're just doing an existence test here. We don't need to know any
particulars. It'd be a shame to undermine webarch in an attempt to
preserve security that doesn't actually exist. We should make sure
CORS is not being unduly conservative.

It sounds like you might be changing your answer to: No, we don't have
such resources. Are you?

>> Is there any way a browser could tell a request is being sent to a
>> server behind your firewall, and not a server on the open Internet?
>
> No.

Does Google IT centrally configure any of your browser settings, so
that it could add this information to the browser?

>> > Is this the propoal to which you refer?:
>> >
>> > http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1011.html
>>
>> Yes.
>
> This seems to fail for cases that aren't even Intranet cases. Consider for
> instance a publicly accessible SOAP service that does authentication on an
> IP address basis only, and relies on checking the Content-Type header to
> make sure forms can't submit to it.

This service is already vulnerable to IP address spoofing.

2009/6/17 Adam Barth <adam@adambarth.com>:
> 2009/6/17 Anne van Kesteren <annevk@opera.com>:
>> On Wed, 17 Jun 2009 16:35:13 +0200, Tyler Close <tyler.close@gmail.com> wrote:
>>> Isn't it already possible to forge the IP address
>>> on a HTTP request to a web site, especially if you don't need to get
>>> the answer?
>>
>> I don't know.
>
> I'd classify this as moderately difficult. It's not something I can do for $5, but given a few hundred dollars, I can probably do it. Recall that sending an HTTP request requires a full TCP handshake, so its not as easy as SYN flooding.
>
> Adam


And also:

http://en.wikipedia.org/wiki/IP_address_spoofing

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 17 June 2009 23:32:34 UTC