Re: [manifest] Parsing origins, was Re: Review of Web Application Manifest Format and Management APIs from Adam Barth on 2012-05-26 (public-webapps@w3.org from April to June 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 26 May 2012 11:23:34 -0700
To: Anant Narayanan <anant@mozilla.com>
Cc: Marcos Caceres <w3c@marcosc.com>, Marcos Caceres <marcosscaceres@gmail.com>, public-webapps@w3.org
Message-ID: <CAJE5ia97Ujv=MpRLrtrss22tdUmX2_U4=_EQ+8giK2nbkfB=3w@mail.gmail.com>

On Sat, May 26, 2012 at 10:26 AM, Anant Narayanan <anant@mozilla.com> wrote:
> On 05/25/2012 11:11 PM, Adam Barth wrote:
>> On Fri, May 25, 2012 at 7:39 AM, Marcos Caceres<w3c@marcosc.com>  wrote:
>>> On Sunday, May 13, 2012 at 5:47 PM, Anant Narayanan wrote:
>>>>>> installs_allowed_from: An array of origins that are allowed to trigger
>>>>>> installation of this application. This field allows the developer to
>>>>>> restrict installation of their application to specific sites. If the value
>>>>>> is omitted, installs are allowed from any site.
>>>>>
>>>>> How are origins parsed?
>>>>
>>>> I'm not sure what the question means, but origins are essentially a
>>>> combination of [protocol]://[hostname]:[port]. Whenever an install is
>>>> triggered, the UA must check if the origin of the page triggering the
>>>> install is present in this array. * is a valid value for
>>>> installs_allowed_from, in which case the UA may skip this check.
>>>
>>> By parsing I mean which ones win, which ones get discarded, what happens
>>> to invalid ones, are they resolved already, etc. in the following:
>>>
>>> installs_allowed_from: [ "   http://foo/ ", "bar://", 22,
>>> "https://foo/bar/#*", "http://foo:80/", "wee!!!", "http://baz/hello there!",
>>> "http://baz/hello%20there!"]
>>>
>>> And so on. So, all the error handling stuff. Or is a single error fatal?
>>
>> I seem to have missed the context for this thread, but typically
>> origins are not parsed.  They're compared character-by-character to
>> see if they're identical.  If you have a URL, you can find its origin
>> and then serialize it to ASCII or Unicode if you want to compare it
>> with another origin.
>
> Ah we could certainly do this, but in our current implementation a single
> error is fatal. I do like the idea of not making sure that the origins are
> valid, especially for installs_allowed_from.

As a point of reference, here's what CORS does:

---8<---
If the value of Access-Control-Allow-Origin is not a case-sensitive
match for the value of the Origin header as defined by its
specification, return fail and terminate this algorithm.
--->8---

http://www.w3.org/TR/cors/#resource-sharing-check-0

I would encourage you not to allow sloppiness in origins.  That's just
asking for security problems.

Adam

Received on Saturday, 26 May 2012 18:24:36 UTC