W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

CfC: FPWD of Entry Point Regulation

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 28 Apr 2015 20:20:00 +0000
Message-ID: <CAEeYn8iPTLDw6ju-jrr4n7hGn-BX1_4fQPrC7t59ok0oSFvfYA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
This is a call for consensus to publish the following draft of "Entry Point
Regulation" as a First Public Working Draft:

https://mikewest.github.io/webappsec/specs/epr/

Entry Point Regulation intends to provide defense-in-depth against
reflected cross-site scripting and other content injection (XSS),
cross-site script inclusion (XSSI), and cross-site request forgery (CSRF)
attacks.

These attacks all rely on the fundamentally porous nature of the web: any
addressible portion of an application can be requested by any third-party,
with arbitrary query parameters and fragment identifiers. The user agent
will happily issue such requests with all the authority granted to the
user, which can result in a number of problems.

If an author can limit incoming traffic to a strict set of well-audited
entry points, web applications can reduce the risk these attacks present,
and indeed some authors have taken steps to do so via server-side logic
(and, soon, via Service Workers). These server-side redirects can be an
effective solution, but have a number of drawbacks. Complexity to the side,
they are prone to false-positive restrictions in cases where a user’s
intent should override the author’s intent (bookmarked links, for instance).

This document defines a client-side scheme which can be layered on top of
an existing application without server-side modifications, providing the
attack mitigation authors desire, while allowing user intent to trumph
brittle filters when possible.

Please send comments to public-webappsec@w3.org. Positive feedback is
encouraged. Negative feedback is encouraged.

This call for consensus will end with our next regularly scheduled
teleconference on May 4.

Thanks you,

-Brad
Received on Tuesday, 28 April 2015 20:20:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC