W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: [widgets] WARP and redirects

From: Robin Berjon <robin.berjon@gmail.com>
Date: Mon, 20 Jun 2011 11:41:07 +0200
Cc: public-webapps <public-webapps@w3.org>, Hari Kumar G <harig@opera.com>
Message-Id: <2DA2C81C-ACD4-4CFE-8003-D84B00B84E37@gmail.com>
To: Marcos Caceres <marcosscaceres@gmail.com>
On Jun 2, 2011, at 09:53 , Marcos Caceres wrote:
> Consider this scenario: the widget requests access to www.google.com.
> On a local level google redirects to .pl or co.in . With WARP, if we
> checked redirects the local google page would be blocked. It would be
> impossible for any developer to take care of all those country wide
> domains in the normal way (and it does not scale). So we would want to
> allow this. Also in widgets XHRs resulting in 301s are followed and
> the final content is returned (this wasn't how it worked but was fixed
> later).
> For a future version of WARP to work effectively, the spec should give
> the option of allow for redirects (or should do this automatically):
> <access origin="http://x.com" redirects="true"/>

That's a security hole begging to happen. A lot of perfectly legit sites have a built-in redirect service. People use that, notably, to be notified of when a user leaves their site through a link they clicked, so instead of linking to http://berjon.com/ they link to http://nyt.com/redirect?to=http://berjon.com/.

So with your suggested approach, all a malicious widget has to do is request access to a perfectly valid data source under whatever false pretence, and then use its redirector service to go to evil.com, or to hit stuff that should be hidden on your private network:

    // grab all of Marcos's print jobs

Robin Berjon
  Robineko (http://robineko.com/)
  Twitter: @robinberjon
Received on Monday, 20 June 2011 09:41:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:20 UTC