- From: Brad Hill <hillbrad@gmail.com>
- Date: Tue, 28 Apr 2015 20:20:00 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8iPTLDw6ju-jrr4n7hGn-BX1_4fQPrC7t59ok0oSFvfYA@mail.gmail.com>
This is a call for consensus to publish the following draft of "Entry Point Regulation" as a First Public Working Draft: https://mikewest.github.io/webappsec/specs/epr/ Entry Point Regulation intends to provide defense-in-depth against reflected cross-site scripting and other content injection (XSS), cross-site script inclusion (XSSI), and cross-site request forgery (CSRF) attacks. These attacks all rely on the fundamentally porous nature of the web: any addressible portion of an application can be requested by any third-party, with arbitrary query parameters and fragment identifiers. The user agent will happily issue such requests with all the authority granted to the user, which can result in a number of problems. If an author can limit incoming traffic to a strict set of well-audited entry points, web applications can reduce the risk these attacks present, and indeed some authors have taken steps to do so via server-side logic (and, soon, via Service Workers). These server-side redirects can be an effective solution, but have a number of drawbacks. Complexity to the side, they are prone to false-positive restrictions in cases where a user’s intent should override the author’s intent (bookmarked links, for instance). This document defines a client-side scheme which can be layered on top of an existing application without server-side modifications, providing the attack mitigation authors desire, while allowing user intent to trumph brittle filters when possible. Please send comments to public-webappsec@w3.org. Positive feedback is encouraged. Negative feedback is encouraged. This call for consensus will end with our next regularly scheduled teleconference on May 4. Thanks you, -Brad
Received on Tuesday, 28 April 2015 20:20:28 UTC