W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: David Ross <drx@google.com>
Date: Thu, 12 Feb 2015 15:07:29 -0800
Message-ID: <CAMM+ux5Aa_Oc0UVxZw+y+UMFn44yuXASn8viVqo0YtORbdY7rw@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mounir Lamouri <mlamouri@google.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Deian Stefan <deian@cs.stanford.edu>, Devdatta Akhawe <dev.akhawe@gmail.com>, David Baron <dbaron@dbaron.org>, Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, Jeffrey Yasskin <jyasskin@google.com>, Brad Hill <hillbrad@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
> > Is the concern that EPR will make this practice mainstream?

> It's a concern, certainly.

So how exactly would this all play out if EPR were to get implemented in
browsers?  Brian Smith suggested that the concern was all about
*unintended* abuse of EPR.  So to me it sounds like the scenario is just
that people become overzealous with implementing EPR on their sites in
order to mitigate XSS / XSRF.  To the extent that large and very public
facing sites adopt it (as opposed to the intended "control panel" type
scenarios).  Is this the worry?

Dave


On Thu, Feb 12, 2015 at 2:23 PM, Eduardo' Vela" <Nava> <evn@google.com>
wrote:

> So EPR breaks the web because Referrer enforcement is broken and can't be
> used as a security control effectively. That's why you mentioned Origin and
> HTTPS. Since Referrer enforcement is less likely to break over SSL and
> Origin works differently.
>
> I see, it all makes sense now.
> On Feb 12, 2015 10:52 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com>
>> wrote:
>> > Hmm, I think I didn't explain myself correctly.
>>
>> I thought you did.
>>
>>
>> > The concern is that, say, if EPR was implemented, sites like Facebook
>> or the
>> > WSJ could block Google, or Bing from linking to their site.
>> >
>> > Other concern is that, for example, Bugzilla or github could break
>> links in
>> > a way that I couldn't bookmark them or store them in delicio.us.
>> >
>> > Other concern is that, for example, Yahoo News could be linked to from
>> Bing
>> > but not DuckDuckGo.
>> >
>> > Did I miss any concerns on EPR vs. The Web?
>>
>> Directly linking to "subresources" of an EPR site, presumably.
>>
>>
>> > Which of these concerns is impossible without EPR? Say, with Referrer
>> > checking.
>>
>> As I said, if you implement Referer checking you might end up breaking
>> your own site for a number of users due to weird firewall policies.
>> See past research on that header. I think it was done by Adam Barth.
>>
>>
>> > Is the concern that EPR will make this practice mainstream?
>>
>> It's a concern, certainly.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>
Received on Thursday, 12 February 2015 23:07:56 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC