W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

CfC: FPWD of Entry Point Regulation

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 28 Apr 2015 20:20:00 +0000
Message-ID: <CAEeYn8iPTLDw6ju-jrr4n7hGn-BX1_4fQPrC7t59ok0oSFvfYA@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
This is a call for consensus to publish the following draft of "Entry Point
Regulation" as a First Public Working Draft:


Entry Point Regulation intends to provide defense-in-depth against
reflected cross-site scripting and other content injection (XSS),
cross-site script inclusion (XSSI), and cross-site request forgery (CSRF)

These attacks all rely on the fundamentally porous nature of the web: any
addressible portion of an application can be requested by any third-party,
with arbitrary query parameters and fragment identifiers. The user agent
will happily issue such requests with all the authority granted to the
user, which can result in a number of problems.

If an author can limit incoming traffic to a strict set of well-audited
entry points, web applications can reduce the risk these attacks present,
and indeed some authors have taken steps to do so via server-side logic
(and, soon, via Service Workers). These server-side redirects can be an
effective solution, but have a number of drawbacks. Complexity to the side,
they are prone to false-positive restrictions in cases where a user’s
intent should override the author’s intent (bookmarked links, for instance).

This document defines a client-side scheme which can be layered on top of
an existing application without server-side modifications, providing the
attack mitigation authors desire, while allowing user intent to trumph
brittle filters when possible.

Please send comments to public-webappsec@w3.org. Positive feedback is
encouraged. Negative feedback is encouraged.

This call for consensus will end with our next regularly scheduled
teleconference on May 4.

Thanks you,

Received on Tuesday, 28 April 2015 20:20:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC