Re: Same Origin Policy and HTTP Authentication
Mark Nottingham <mnot@mnot.net> Mon, 06 December 2010 23:54 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5FC128C0EA for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Mon, 6 Dec 2010 15:54:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.602
X-Spam-Level:
X-Spam-Status: No, score=-8.602 tagged_above=-999 required=5 tests=[AWL=1.996, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pJO3iegDBTW for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Mon, 6 Dec 2010 15:54:43 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 981243A68D7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 6 Dec 2010 15:54:43 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1PPkuF-0005Ud-09 for ietf-http-wg-dist@listhub.w3.org; Mon, 06 Dec 2010 23:55:43 +0000
Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1PPksi-0004cX-GY for ietf-http-wg@listhub.w3.org; Mon, 06 Dec 2010 23:54:08 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1PPksg-0001fU-Hd for ietf-http-wg@w3.org; Mon, 06 Dec 2010 23:54:08 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.2.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4762622E257; Mon, 6 Dec 2010 18:53:38 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="windows-1252"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <AANLkTimXusQ6aTg6f==GZ7p1SJuVKvU1Pd8ZO-ZeJ_nN@mail.gmail.com>
Date: Tue, 07 Dec 2010 10:53:35 +1100
Cc: ietf-http-wg@w3.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <19BC3924-2E41-43D3-84B7-1D31A528CCD7@mnot.net>
References: <AANLkTimXusQ6aTg6f==GZ7p1SJuVKvU1Pd8ZO-ZeJ_nN@mail.gmail.com>
To: Chirag Shah <chiragshah1@gmail.com>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001
X-W3C-Scan-Sig: bart.w3.org 1PPksg-0001fU-Hd ee76b0e539669f7a667d03601a24e1bd
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Same Origin Policy and HTTP Authentication
Archived-At: <http://www.w3.org/mid/19BC3924-2E41-43D3-84B7-1D31A528CCD7@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/9839
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1PPkuF-0005Ud-09@frink.w3.org>
Resent-Date: Mon, 06 Dec 2010 23:55:43 +0000
Chirag, Changing how HTTP authentication works is explicitly out of scope for this WG, although you will likely find people willing to discuss it here. Although there are a number of places that might be appropriate for this discussion, it might actually be most helpful for you to give this as feedback to the W3C CORS specification: http://www.w3.org/TR/cors/ ... as they're discussing what is effectively a policy mechanism for cross-site requests. Kind regards, On 06/12/2010, at 5:43 AM, Chirag Shah wrote: > Hey httpbis, > > Cross Site HTTP Authentication seems is an obscure phishing vector > that’s often overlooked across the web and sometimes difficult to > workaround. When the WWW-Authenticate header is presented to a > user-agent, it will prompt the user for a user name and password . > > This is a problem because when a webpage is loaded, any external > resource requested by that page can request HTTP Authentication and > trigger this dialog. At this point, it isn't entirely obvious that the > user name/password is being sent to the external resource. > > One way to address this issue is by disallowing HTTP Authentication > for external resources loaded by a webpage by following a variant of > the same-origin-policy. > > Proposed change in user agent behavior: > When the page http://good.com/resource is rendered, the following > table outlines how external resources (requiring Authentication) could > be treated. > > http://evil.com/auth.png - Auth Failure - Different domain > http://good.com/auth.png - Auth Success - Same domain > ws://good.com/secure.htm - Auth Failure Different protocol > http://good.com:99/auth.png - Auth Failure - Different port > http://1.good.com/auth.png - Auth Failure - Different host > > Does it make sense to update RFC 2617 to account for this issue? > > > References: > Cross Site HTTP Authentication: > http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth > HTTP Authentication: http://www.ietf.org/rfc/rfc2617.txt > The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06 > > > Thank you, > Chirag Shah - http://chiarg.com > > > -- Mark Nottingham http://www.mnot.net/
- Same Origin Policy and HTTP Authentication Chirag Shah
- Re: Same Origin Policy and HTTP Authentication Mark Nottingham
- Re: Same Origin Policy and HTTP Authentication Anne van Kesteren
- Re: Same Origin Policy and HTTP Authentication Bjoern Hoehrmann