Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Adam Barth on 2009-02-11 (www-talk@w3.org from January to February 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 11 Feb 2009 10:14:03 -0800
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: "www-talk@w3.org" <www-talk@w3.org>, Mark Nottingham <mnot@mnot.net>
Message-ID: <7789133a0902111014g1eeb0180taf9d63ddeb7e245d@mail.gmail.com>

On Tue, Feb 10, 2009 at 11:51 PM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
>> In particular, you should require that
>> the host-meta file should be served with a specific mime type (ignore
>> the response if the mime type is wrong.  This protects servers that
>> let users upload content from having attackers upload a bogus
>> host-meta file.
>
> I am not sure the value added in security (which I find hard to buy) is worth excluding many
> hosting solutions where people not always have access to setting content-type headers.
> After all, focusing on an HTTP GET based solution was based on getting the most
> accessible approach.

Adobe found the security case compelling enough to break backwards
compatibility in their crossdomain.xml policy file system to enforce
this requirement.  Most serious Web sites opt-in to requiring an
explicit Content-Type.  For example,

$ wget http://mail.google.com/crossdomain.xml --save-headers
$ cat crossdomain.xml
HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Tue, 04 Mar 2008 21:38:05 GMT
Set-Cookie: ***REDACTED***
Date: Wed, 11 Feb 2009 18:07:40 GMT
Server: gws
Cache-Control: private, x-gzip-ok=""
Expires: Wed, 11 Feb 2009 18:07:40 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM
"http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
  <site-control permitted-cross-domain-policies="by-content-type" />
</cross-domain-policy>

Google Gears has also recently issued a security patch enforcing the
same Content-Type checks to protect their users from similar attacks.

>> Also, if you want this feature to be useful for Web browsers, you
>> should align the scope of the host-meta file with the notion or origin
>> (not authority).
>
> The scope is host/port/protocol. The protocol is not said explicitly but is very much implied.
> I'll leave it up to Mark to address wordings. As for the term 'origin', I rather do anything but
> get involved with another term at this point.

I'd greatly prefer that is this was stated explicitly.  Why leave such
a critical security requirement implied?

Adam

Received on Wednesday, 11 February 2009 18:14:40 UTC