Re: UMP / CORS: Implementor Interest from Tyler Close on 2010-04-21 (public-webapps@w3.org from April to June 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 21 Apr 2010 10:02:35 -0700
To: Anne van Kesteren <annevk@opera.com>
Cc: "Mark S. Miller" <erights@google.com>, Jonas Sicking <jonas@sicking.cc>, Maciej Stachowiak <mjs@apple.com>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <m2g5691356f1004211002h8e66e334hc973df99992fc974@mail.gmail.com>

On Wed, Apr 21, 2010 at 8:57 AM, Anne van Kesteren <annevk@opera.com> wrote:
> "Uniform" doesn't tell you much about what it is doing.

The term "uniform" in Uniform Messaging Policy (UMP) is used in the
same sense as it is used in Uniform Resource Identifier (URI). In
particular, the following from RFC 3986 is most relevant:

"URIs have a global scope and are interpreted consistently regardless
of context, ..."

The UMP defines a way to produce an HTTP request regardless of
context. Today, browsers can only produce requests that are entangled
with the user-agent's local context and this is the key to enabling
CSRF-like vulnerabilities. Well formed, legitimate Web content that
expresses an HTTP request might be harmless when viewed from an
attacker's user-agent, but if the exact same content is viewed through
a victim's user-agent, there is a successful attack. The difference
between the two requests is simply the change of context. The
well-known CSRF attack is not the only way to cause mischief by
switching the local context of an HTTP request. There is a whole
family of similar attacks that use the same pattern, called Confused
Deputy. The UMP enables web content to avoid this whole family of
attacks by making requests from the global scope, rather than from the
user-agent's local context.

Today, requesting content is interpreted differently depending on
context. The UMP makes this interpretation uniform, and so the
produced HTTP request is the same no matter where it is produced from.
This uniformity allows web content to avoid the built-in Confused
Deputy vulnerabilities in the user-agent. Uniformity is the crux of
what the UMP does.

As MarkM noted, uniformity is not the same as anonymity. I can compose
web content that produces a request that declares my identity. Using
the UMP, I can ensure that the produced request is the same, no matter
where the request is issued from. The produced request still declares
my identity and so is not anonymous.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Wednesday, 21 April 2010 17:03:10 UTC