W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Sub-origins

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 29 Aug 2013 09:42:28 -0700
Message-ID: <CAEeYn8jhB5uO0gYZbZhqPCheBNbXG+2rJfBKZh-nyT3OMi1zWw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
Cc: Joel Weinberger <jww@chromium.org>, Devdatta Akhawe <dev.akhawe@gmail.com>, Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>, Adam Barth <abarth@google.com>
I would just caution against being too casual about considering the browser
the only citizen of the SOP ecosystem, even if you happen to think the
recent history of such was misguided.

For an example of a protocol encoding and comparing origins, consider
"Universal 2nd Factor" (previously known as Gnubby) which Google is leading
the development of.
https://docs.google.com/document/d/1Jm_xAJTZGulMOkYOQm-fIQhhkd2VDr9578oh0KOwcEw/edit#heading=h.q5kqrl82hzpj

And also consider the rich extension ecosystem for Chrome utilizing origins
for security isolation.
https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final177_0.pdf

And the set of cross-origin attacks on mobile platforms recently explored
by MSR, and their proposed mitigation using an origin indication:
http://research.microsoft.com/pubs/200406/ccs127-wang.pdf

I'm interested in exploring a way to encode suborigins as first-class
citizens of URL space a bit further as an alternative to the hash scheme,
since the single-value URL is the near-universal means of communicating
resource information with embedded security boundaries between the various
pieces of the web ecosystem.


On Thu, Aug 29, 2013 at 8:53 AM, Michal Zalewski <lcamtuf@coredump.cx>wrote:

> I am not particularly excited about the hashing proposal. It adds
> complexity to the scheme that may discourage developers, and I do not see
> it offering any clear benefits over other possible serializations.
>
> For some context, the original proposal we started with relied on encoding
> the suborigin as a part of a serializable URL; in the original draft, I
> suggested something like "http://$suborigin.example.com/", where '$'
> would be any character that is not allowed to organically appear unescaped
> in the host name part. This greatly simplifies the proposal because it
> avoids all the concerns about backward compatibility with same-origin
> checks, CORS headers, postMessage event properties, all sorts of permission
> prompts, and so on. However, it has the downside of mucking with the URL
> syntax.
>
> One of the counterproposals was the scheme mentioned by Joel,
> "http+suborigin://example.com/". This approach has a higher likelihood of
> creating incompatibilities - for eample, a server that only looks at the
> host name field (but not the protocol) to permit or reject CORS requests,
> could be in trouble. It also seems like a bad abuse of that part of the URL.
>
> Since we expected this to come up in a public discussion anyway, we
> settled on a clean but not backward-compatible approach of serializing the
> origin as null in several specific cases, and exposing the suborigin data
> via a separate channel. I agree that this carries some interesting risks.
>
> /mz
>
Received on Thursday, 29 August 2013 16:42:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC