- From: Soares Chen via GitHub <sysbot+gh@w3.org>
- Date: Tue, 19 Sep 2017 09:41:22 +0000
- To: public-webrtc@w3.org
soareschen has just submitted a new pull request for https://github.com/w3c/webrtc-pc: == Validate protocol string in IdP operations == Fixes #1500. This is based the protocol field defined in [ietf-rtcweb-security-arch](https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.6.5): > protocol: The specific IdP protocol which the IdP is using. This is a completely opaque IdP-specific string, but allows an IdP to implement two protocols in parallel. This value may be the empty string. If no value for protocol is provided, a value of "default" is used. > Note that the separator characters '/' (%2F) and '\\' (%5C) MUST NOT be permitted in the protocol field, lest an attacker be able to direct requests outside of the controlled "/.well-known/" prefix. Query and fragment values MAY be used by including '?' or '#' characters. The spec is not clear of how "opaque" the protocol can be in respect to the well-formness of the URI format. They way I interpret this is that the provider string may contain the path, query, and fragment components of a URI, and each component will be normalized accordingly when forming the well-known URI for the IdP proxy, e.g. invalid characters will be percent-encoded. Since anything can be percent encoded, that means protocol may contain arbitrary characters other than "/" and "\\" which are explicitly forbidden. Here the percent encoded strings "%2F" and "%5C" are not banned, because my understanding is that percent encoding will be done by the browser instead of the application. This PR differs with the approach in #1538. #1538 does not cover percent encoding and the query/fragment component. We might want to discuss more on whether it is the browser or application responsibility to encode the protocol field as well-formed URI. See https://github.com/w3c/webrtc-pc/pull/1608
Received on Tuesday, 19 September 2017 09:41:17 UTC