W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: WebAppSec re-charter status

From: David Ross <drx@google.com>
Date: Thu, 12 Feb 2015 15:07:29 -0800
Message-ID: <CAMM+ux5Aa_Oc0UVxZw+y+UMFn44yuXASn8viVqo0YtORbdY7rw@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Mounir Lamouri <mlamouri@google.com>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Deian Stefan <deian@cs.stanford.edu>, Devdatta Akhawe <dev.akhawe@gmail.com>, David Baron <dbaron@dbaron.org>, Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, Jeffrey Yasskin <jyasskin@google.com>, Brad Hill <hillbrad@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
> > Is the concern that EPR will make this practice mainstream?

> It's a concern, certainly.

So how exactly would this all play out if EPR were to get implemented in
browsers?  Brian Smith suggested that the concern was all about
*unintended* abuse of EPR.  So to me it sounds like the scenario is just
that people become overzealous with implementing EPR on their sites in
order to mitigate XSS / XSRF.  To the extent that large and very public
facing sites adopt it (as opposed to the intended "control panel" type
scenarios).  Is this the worry?


On Thu, Feb 12, 2015 at 2:23 PM, Eduardo' Vela" <Nava> <evn@google.com>

> So EPR breaks the web because Referrer enforcement is broken and can't be
> used as a security control effectively. That's why you mentioned Origin and
> HTTPS. Since Referrer enforcement is less likely to break over SSL and
> Origin works differently.
> I see, it all makes sense now.
> On Feb 12, 2015 10:52 PM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>> On Thu, Feb 12, 2015 at 9:50 PM, Eduardo' Vela" <Nava> <evn@google.com>
>> wrote:
>> > Hmm, I think I didn't explain myself correctly.
>> I thought you did.
>> > The concern is that, say, if EPR was implemented, sites like Facebook
>> or the
>> > WSJ could block Google, or Bing from linking to their site.
>> >
>> > Other concern is that, for example, Bugzilla or github could break
>> links in
>> > a way that I couldn't bookmark them or store them in delicio.us.
>> >
>> > Other concern is that, for example, Yahoo News could be linked to from
>> Bing
>> > but not DuckDuckGo.
>> >
>> > Did I miss any concerns on EPR vs. The Web?
>> Directly linking to "subresources" of an EPR site, presumably.
>> > Which of these concerns is impossible without EPR? Say, with Referrer
>> > checking.
>> As I said, if you implement Referer checking you might end up breaking
>> your own site for a number of users due to weird firewall policies.
>> See past research on that header. I think it was done by Adam Barth.
>> > Is the concern that EPR will make this practice mainstream?
>> It's a concern, certainly.
>> --
>> https://annevankesteren.nl/
Received on Thursday, 12 February 2015 23:07:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC