W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2010

Re: widget example of CORS and UMP

From: Tyler Close <tyler.close@gmail.com>
Date: Fri, 14 May 2010 12:00:40 -0700
Message-ID: <AANLkTimuVQHQXJa8jhQmOzsBwWVQ8iiZs92BJJ7Jzva-@mail.gmail.com>
To: Dirk Pranke <dpranke@chromium.org>
Cc: Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Fri, May 14, 2010 at 11:27 AM, Dirk Pranke <dpranke@chromium.org> wrote:
> On Fri, May 14, 2010 at 10:18 AM, Tyler Close <tyler.close@gmail.com> wrote:
>> On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak <mjs@apple.com> wrote:
>>> OK, so there's two vulnerability scenarios:
>> Actually, there is at least one other kind of vulnerability in the
>> CORS design that has not been mentioned by anyone yet and that does
>> not require XSS or untrusted code.
>> Before I describe the attack, I want to remind everyone that the
>> purpose of this particular scenario was to study the usability of CORS
>> and UMP in a benign situation. This example only has a page from Yahoo
>> talking to servers also operated by Yahoo. There are also no
>> side-effects in this example; it's purely a data presentation example.
>> Given that CORS and UMP are new protocols and that this is the most
>> benign scenario we can conjure, I think it's fair to expect a solution
>> with strong security properties. It should be damning if the solution
>> to this very simple scenario introduces complex security problems.
> We are talking about enabling a class of functionality (cross-origin
> messaging) that isn't currently possible on the web. Obviously if it is
> possible to do so securely and easily, that's a good thing. If that is not
> possible, and the options are to enable things that have relative degrees
> of security or ease of use, then it becomes much more debatable.
> "Damning" is a strong word to use in this situation,

If the introduced security problems are complex and therefore hard or
infeasible to solve, then "damning" is the right word. If the simple,
benign scenario is made infeasible, that's damning.

>  especially since I
> think most people would see the interchange between Maciej and I that
> neither solution (CORS or UMP) makes things trivially securable. Another
> conclusion could be that doing this stuff is just hard.

There's a big difference between "trivially" and infeasible. What are
the issues with UMP where we cannot provide concrete guidance to
developers? As I've shown, there are hard unknowns in the CORS

>> If the Yahoo Finance portfolio was designed to use UMP instead of
>> CORS, this hack would not compromise any private
>> portfolio data since the attacker doesn't know the unguessable secret
>> for anyone's private portfolio.
> If the code had been audited, then it is reasonable to assume that someone
> would have caught that allowing the HotTrades service to tell the user to
> fetch *any url at all* was a bad idea, and the API should have been
> restricted to "GET http://finance.yahoo.com/stock/%s/instaprice" instead
> of "GET %s".

You've changed the scenario so that now HotTrades can only happen on
Yahoo listed securities, instead of those listed on any exchange in
the world. You have to allow fetching of any URL to make the
application work. A possible CORS solution is to check that the URL
does not refer back to a user private resource on my.yahoo.com and so
do a check on the domain in the URL from HotTrades. However, now you
have to wonder about other domains that accept cross-domain requests
from my.yahoo.com, such as finance.yahoo.com. How do you list all
other domains that might be giving special cross-domain access to
my.yahoo.com? You can't; it's an unbounded list that is not even under
the control of my.yahoo.com.

> This is also what Maciej said in his Don't Be a Deputy
> Slides - "Guarantee that requests on behalf of a third party look different than
> your own".

How do I make a GET request for public data look different? I look
forward to seeing DBAD explained in greater depth. I am completely
unconvinced by what has been presented to date.

> You are correct that it is possible to use CORS unsafely. It is possible to use
> UMP unsafely,

Again, that is broken logic. It is possible to write unsafe code in
C++, but it is also possible to write unsafe code in Java, so there's
no security difference between the two languages. Please, this
illogical argument needs to die.

> since - as others have expressed - everything depends on the URL
> being unguessable.

or putting an unguessable token somewhere else in the request.

In CORS, everything depends on the cookie being unguessable and
confidential. Adam has shown how hard that is.

> Many people seem to feel that this is at least as
> great a flaw
> as the ambient authority flaw.

As you and Maciej discussed, a truly secure solution requires the use
of unguessable secrets outside of cookies. Whether you argue for CORS
or UMP, you must have techniques for protecting these non-cookie

> So, to me, your argument suggests that we either should not implement
> either solution,
> which no one will find acceptable, or we should implement a solution
> that requires
> *both* unguessable tokens and cookies.

I don't follow your logic here. We have techniques for protecting
unguessable tokens outside of cookies. We know that cookies *don't*
provide a good way to protect unguessable tokens. Adam has clearly
shown that.


"Waterken News: Capability security on the Web"
Received on Friday, 14 May 2010 19:01:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:07 UTC