Re: [UMP] Server opt-in from Tyler Close on 2010-01-14 (public-webapps@w3.org from January to March 2010)

From: Tyler Close <tyler.close@gmail.com>
Date: Thu, 14 Jan 2010 09:20:20 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <5691356f1001140920i7dd7d51g944a9118bc69ccdf@mail.gmail.com>

On Tue, Jan 12, 2010 at 5:34 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Tue, Jan 12, 2010 at 4:24 PM, Mark S. Miller <erights@google.com> wrote:
>> The most it can do is ignore such information. It is up to the
>> client not to provide such information. It is the job of the standard to
>> require the client not to provide it, and to inform server-side authors not
>> to expect it.
>
> Right, but we're working in a threat model where ambient authority is
> confusing to servers can causes them to have vulnerabilities.  If the
> server is smart enough to understand the dangers of ambient authority,
> then we don't need UMP.  CORS would be sufficient.

The client-side requires the UMP restrictions. When a client is about
to send off a request, it doesn't yet know whether or not the server
will ignore the client's ambient authority. To ensure that it must,
the request delivered to the server contains no credentials.

On the server-side, a resource implemented to the UMP security model
doesn't expect requests to bear credentials, since clients are not
expected to send them. There shouldn't be any code branches on the
server-side that are conditional upon receiving credentials.
Consequently, if a malicious client does send credentials, these have
no impact on processing of the request.

> On Tue, Jan 12, 2010 at 4:56 PM, Tyler Close <tyler.close@gmail.com> wrote:
>> UMP supports confidentiality where client and server desire
>> confidentiality.
>
> My question, then, is how can a server enjoy the confidentiality
> benefits of UMP without paying the security costs of CORS?

By neither issuing, nor accepting client credentials, so that clients
can access the server's resources without being vulnerable to CSRF
attacks that would break confidentiality.

The confidentiality of a resource can be compromised by a CSRF
vulnerability in a legitimate client. A server can avoid this loss of
confidentiality by providing its clients a security model that is not
vulnerable to CSRF. UMP provides this security model.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Thursday, 14 January 2010 17:20:54 UTC