Re: [UMP] Feedback on UMP from a quick read

On Sat, Jan 9, 2010 at 7:23 AM, Tyler Close <tyler.close@gmail.com> wrote:
> If the response can be parsed as ECMAScript, an attacker can break
> confidentiality by loading the document using a <script> tag.

As Maciej says, just because the server can screw up it's
confidentiality doesn't means we should prevent servers from doing the
secure thing.  By this argument, we should remove the same-origin
policy entirely because some sites might have XSS vulnerabilities.

> Also,
> for any media-type, the attacker can mount a clickjacking attack
> against this design.

ClickJacking is an integrity attack.  I'm worried about confidentiality.

> Since in general this design cannot be made safe,
> I think it's better to not support it at all in the security model, by
> allowing a uniform request to follow a non-uniform redirect. A
> security model that works for some media-types but not others is just
> too bizarre to explain to developers.

That's the security model we have.  For example, it's safe to return
untrusted HTML tags with certain media types but not with others.

> This choice doesn't endanger
> existing resources, since CORS also allows a cross-origin request to
> follow a redirect that has not opted out of the Same Origin Policy.

I'm glad you consider CORS to be the epitome of a secure design.  :)

(As Maciej says, CORS doesn't appear to have this hole.)

Adam

Received on Saturday, 9 January 2010 18:21:05 UTC