- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 30 Jan 2008 20:33:36 +0000 (UTC)
On Wed, 23 Jan 2008, Darin Fisher wrote: > > HTTP auth headers may be required to access the internet (e.g., to pass > a request through a proxy server), so this should only apply to the > Authorization request header, right? On Thu, 24 Jan 2008, Kornel Lesinski wrote: > > I don't think that attack vector discussed on mozilla.dev.platform > should be taken so seriously. In my opinion case when <a ping> enables > attack (instead of being just one of countless possible attack vectors) > is very very unlikely: > > - If site accepts data from GET as well as POST (e.g. is using PHP's > register_globals), then <a ping> is not needed at all -- a better attack > can be performed with simple <img src> or <a href>. > > - If site allows HTML from untrusted source and allows ping to slip > through, it is very likely that the site can be tricked to allow other > potentially dangerous attributes or scripts. > > - Because not all browsers/proxies/firewalls send Referer header, > public-facing websites have to accept POSTs without Referer, so > forbidding Referer for <a ping> may not increase security and even make > it harder to protect against CSRF. > > OTOH Referer can help save bandwidth. Without it page may need to > include its own URL in every <a ping> attribute. On pages with lots of > links (portals, directories) this can noticeably increases size of HTML. > > Maybe these problems could be solved with an additional HTTP header in > the ping request? e.g.: > > X-Ping: from="http://example.com/here", to="http://example.com/there" > > This would make it easy to protect against unwanted ping-originated > requests (one could configure server or set up application firewall to > filter pings), and URL in <a ping> wouldn't have to contain copies of > page's URL and href. What do people think of this idea: We make "Referer" always have the value "PING". We add two headers, "X-Ping-From" which has the value of the page that had the link, and "X-Ping-To" which has the value of the page that is being opened. We continue to send all cookie and authentication headers. What do people think? Would this address all the issues raised? -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 30 January 2008 12:33:36 UTC