Limiting requests from the internet to the intranet.

Happy new year, WebAppSec! This seems like a lovely time to rekindle the
fire under the public/private origin restriction that we removed from Mixed
Content way back in 2014 (
http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin).

I've put together a kinder, gentler take on hardening the user agent
against the kinds of attacks that such requests enable:
https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only
poked at it sporadically over the holidays, but I think there's enough
there to get a conversation going.

In a nutshell, the proposal is to require a CORS-preflight request for
requests initiated from the public internet which target private IP space.
This preflight requires an opt-in on the part of the intranet server via a
new CORS header, but doesn't block the requests entirely (which was a
failing of the initial proposal). I imagine this server-side opt-in being
combined in some intelligent way with a user-side opt-in (Presto-style
interstitial? permission request?), but I haven't explored anything in that
direction.

CCing a few folks who've commented on the topic in the past; I imagine
you'll have opinions. :)

-mike

Received on Monday, 4 January 2016 13:11:37 UTC