W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Limiting requests from the internet to the intranet.

From: Richard Barnes <rbarnes@mozilla.com>
Date: Tue, 12 Jan 2016 16:42:04 -0800
Message-ID: <CAOAcki88QgcYbF0bB0RxpEa3K3rrWynR-=4xYya8RitNaaX9Lw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>
Since it doesn't seem to have been posted here yet, this seems apropos:

https://code.google.com/p/google-security-research/issues/detail?id=693

Exploitation of this vuln would have been prevented by the system Mike
proposes (as well as most of the variants down-thread).  (Unless TrendMicro
sent the header, of course.)

On Mon, Jan 4, 2016 at 5:10 AM, Mike West <mkwst@google.com> wrote:

> Happy new year, WebAppSec! This seems like a lovely time to rekindle the
> fire under the public/private origin restriction that we removed from Mixed
> Content way back in 2014 (
> http://www.w3.org/TR/2014/WD-mixed-content-20140722/#private-origin).
>
> I've put together a kinder, gentler take on hardening the user agent
> against the kinds of attacks that such requests enable:
> https://mikewest.github.io/cors-rfc1918/. It's pretty rough, as I've only
> poked at it sporadically over the holidays, but I think there's enough
> there to get a conversation going.
>
> In a nutshell, the proposal is to require a CORS-preflight request for
> requests initiated from the public internet which target private IP space.
> This preflight requires an opt-in on the part of the intranet server via a
> new CORS header, but doesn't block the requests entirely (which was a
> failing of the initial proposal). I imagine this server-side opt-in being
> combined in some intelligent way with a user-side opt-in (Presto-style
> interstitial? permission request?), but I haven't explored anything in that
> direction.
>
> CCing a few folks who've commented on the topic in the past; I imagine
> you'll have opinions. :)
>
> -mike
>
Received on Wednesday, 13 January 2016 00:42:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC