- From: <noah_mendelsohn@us.ibm.com>
- Date: Mon, 15 May 2006 21:27:37 -0400
- To: Dan Connolly <connolly@w3.org>
- Cc: Stuart Williams <skw@hp.com>, www-tag@w3.org
Dan Connolly wrote:
> Regarding...
>
> | HTML forms [HTMLForms] and now XForms [XFORMS] each provide a means by
> | which a authority can assert its support for a class of parameterized
> | URIs, while simultaneously programming Web clients to prompt for the
> | necessary parameters.
>
> You might note that the action= attribute allows a form to point
> anywhere in the web, so in fact, HTML forms allows anyone,
> not just an authority, to make claims about the URI structure
> of http://example.org/cityweather .
Yes, interesting.
> That introduces a 3rd party into the discussion. That might
> be more trouble than it's worth. Hmm.
Well, the subtlety seems to me that the claims are authoritative (in the
sense the finding discusses) only if the authority sourcing the form and
the authority for the ACTION URI are the same. It's cool that I can serve
up lots of Web forms with ACTIONs pointing to danconnolly.com, but I
expect you shouldn't be held responsible for either the implied structure
of your URIs, or for anything I might say about them in the natural
language text of the form. I'm thinking it might be worth a sentence in
the finding to give that warning, I.e. that 3rd party claims in forms have
the same standing or lack thereof as 3rd party claims in books, ordinary
web pages, or on the sides of busses: trust claims that (appear to be)
made by someone other than the resource authority only at your own risk.
> I think the "Hiding metadata for security reasons" story
> is a little thin. It's in the right direction, but there
> are more credible threats than a "malicious worker at
> an Internet Service Provider" these days.
>
> Does anybody have a cross-site scripting horror story
> or something that's not too hard to follow?
Suggestions are most welcome.
FWIW: I am fairly sure I know of a security consultant who discovered
exactly the problem in the finding in the early days of the Web. He
basically went to the bank or credit card company (not sure which): "Your
site's not secure"; "Yes it is"; "Well I have account information for a
few of your customers and can show you how to get more"; "Ooops - how'd
you do it?".
The person who discovered the problem found that the URI for his account
record was along the lines of:
http://notsogoodbank.com/accountdata/customer="144"
seems that
http://notsogoodbank.com/accountdata/customer="143"
& http://notsogoodbank.com/accountdata/customer="142"
produced useful information about other accounts. I'm remembering that
from many years ago and have no documentation, but I believe the essence
of the story is right. So this stuff happens, or used to happen anyway.
If anyone has more compelling ideas for the security story, that would be
great. Frankly, I was afraid the finding was getting too long, but if you
still had patience for more, maybe others would feel the same. I'm
certainly willing to add more if we can figure out what we want there.
Noah
--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
Received on Tuesday, 16 May 2006 01:27:47 UTC