Same Origin Policy and HTTP Authentication
Chirag Shah <chiragshah1@gmail.com> Mon, 06 December 2010 09:49 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CA9863A6B38 for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Mon, 6 Dec 2010 01:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rxv7CKbd2Cer for <ietfarch-httpbisa-archive-bis2Juki@core3.amsl.com>; Mon, 6 Dec 2010 01:49:24 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 770A23A6B35 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 6 Dec 2010 01:49:24 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1PPXhO-000327-0E for ietf-http-wg-dist@listhub.w3.org; Mon, 06 Dec 2010 09:49:34 +0000
Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <ylafon@w3.org>) id 1PPXfM-0002o0-8T for ietf-http-wg@listhub.w3.org; Mon, 06 Dec 2010 09:47:28 +0000
Received: from jay.w3.org ([128.30.52.169]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <ylafon@w3.org>) id 1PPXfM-00070q-7c for ietf-http-wg@w3.org; Mon, 06 Dec 2010 09:47:28 +0000
Received: from ylafon by jay.w3.org with local (Exim 4.69) (envelope-from <ylafon@w3.org>) id 1PPXfM-0005Hb-45 for ietf-http-wg@w3.org; Mon, 06 Dec 2010 04:47:28 -0500
X-Return-path: <listmaster@w3.org>
X-Received: from bart.w3.org ([128.30.52.63]) by jay.w3.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <listmaster@w3.org>) id 1PPJYV-0008Hs-VM for ylafon@jay.w3.org; Sun, 05 Dec 2010 13:43:28 -0500
X-Received: from frink.w3.org ([128.30.52.56]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <listmaster@w3.org>) id 1PPJYV-00068l-RX for ylafon@w3.org; Sun, 05 Dec 2010 18:43:27 +0000
X-Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <listmaster@w3.org>) id 1PPJYV-0002zv-Np for ylafon@w3.org; Sun, 05 Dec 2010 18:43:27 +0000
X-From_: chiragshah1@gmail.com Sun Dec 05 18:43:21 2010
X-Received: from bart.w3.org ([128.30.52.63]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <chiragshah1@gmail.com>) id 1PPJYP-0002yN-Ax for ietf-http-wg@listhub.w3.org; Sun, 05 Dec 2010 18:43:21 +0000
X-Received: from mail-ew0-f46.google.com ([209.85.215.46]) by bart.w3.org with esmtp (Exim 4.69) (envelope-from <chiragshah1@gmail.com>) id 1PPJYN-00062J-BW for ietf-http-wg@w3.org; Sun, 05 Dec 2010 18:43:21 +0000
X-Received: by ewy5 with SMTP id 5so6790708ewy.5 for <ietf-http-wg@w3.org>; Sun, 05 Dec 2010 10:42:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=ha7APvIXQJFxaOFbjWtKu5to/mOzBHhcOShKuIMi0fc=; b=t7m3hFn9H9AwXfQveJ+1edDvEx9U+58VBScNun4k2HXPbgYHHWcDmKPqgI0y8Pz7aR HbwElXowQW43Cb83yajiZK6FHK/7VtWFUW9Y9lG9wLaY260YSnKUYMrsFmZ70rNT9A9v Zi5+5k0a0iN9GwcVzYKe2z+wsHec51f4DmPMw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=oX+R6q/oEQG/16rNNJLkpckJZWPPUXqHbaSyGaVD+StseZFsFqQ4KW5blXQuqDsQ7h nlWCl3fWQbQ715g9yl1GYLVuNeiJdiAN9aRCKfhDGBM0wxo0qsykQ602kRkYhWVaLi7U B6MyongvffKS/bRwNutSmatWWSaEC4F9PtEaI=
MIME-Version: 1.0
X-Received: by 10.14.37.140 with SMTP id y12mr930222eea.21.1291574572884; Sun, 05 Dec 2010 10:42:52 -0800 (PST)
X-Received: by 10.14.47.131 with HTTP; Sun, 5 Dec 2010 10:42:52 -0800 (PST)
Old-Date: Sun, 5 Dec 2010 10:42:52 -0800
Message-ID: <AANLkTimXusQ6aTg6f==GZ7p1SJuVKvU1Pd8ZO-ZeJ_nN@mail.gmail.com>
From: Chirag Shah <chiragshah1@gmail.com>
To: ietf-http-wg@w3.org
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass
X-SPF-Guess: pass
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: BAYES_00=-2.599, DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, RCVD_IN_DNSWL_LOW=-1, SPF_PASS=-0.001, WEIRD_PORT=0.001
X-W3C-Scan-Sig: bart.w3.org 1PPJYN-00062J-BW 740551b06bb9d1b61a517fded452485c
Old-X-Envelope-To: ietf-http-wg
Date: Sun, 05 Dec 2010 18:43:27 +0000
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Sun Dec 5 13:43:28 2010
X-DSPAM-Confidence: 0.9978
X-DSPAM-Improbability: 1 in 45567 chance of being spam
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 4cfbdd50318661804284693
ReSent-Date: Mon, 06 Dec 2010 04:47:20 -0500
ReSent-From: Yves Lafon <ylafon@w3.org>
ReSent-To: ietf-http-wg@w3.org
ReSent-Subject: [Moderator Action] Same Origin Policy and HTTP Authentication
ReSent-User-Agent: Alpine 1.10 (DEB 962 2008-03-14)
X-Original-To: ietf-http-wg@w3.org
Subject: Same Origin Policy and HTTP Authentication
Archived-At: <http://www.w3.org/mid/AANLkTimXusQ6aTg6f==GZ7p1SJuVKvU1Pd8ZO-ZeJ_nN@mail.gmail.com>
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/9834
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1PPXhO-000327-0E@frink.w3.org>
Hey httpbis, Cross Site HTTP Authentication seems is an obscure phishing vector that’s often overlooked across the web and sometimes difficult to workaround. When the WWW-Authenticate header is presented to a user-agent, it will prompt the user for a user name and password . This is a problem because when a webpage is loaded, any external resource requested by that page can request HTTP Authentication and trigger this dialog. At this point, it isn't entirely obvious that the user name/password is being sent to the external resource. One way to address this issue is by disallowing HTTP Authentication for external resources loaded by a webpage by following a variant of the same-origin-policy. Proposed change in user agent behavior: When the page http://good.com/resource is rendered, the following table outlines how external resources (requiring Authentication) could be treated. http://evil.com/auth.png - Auth Failure - Different domain http://good.com/auth.png - Auth Success - Same domain ws://good.com/secure.htm - Auth Failure Different protocol http://good.com:99/auth.png - Auth Failure - Different port http://1.good.com/auth.png - Auth Failure - Different host Does it make sense to update RFC 2617 to account for this issue? References: Cross Site HTTP Authentication: http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth HTTP Authentication: http://www.ietf.org/rfc/rfc2617.txt The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06 Thank you, Chirag Shah - http://chiarg.com
- Same Origin Policy and HTTP Authentication Chirag Shah
- Re: Same Origin Policy and HTTP Authentication Mark Nottingham
- Re: Same Origin Policy and HTTP Authentication Anne van Kesteren
- Re: Same Origin Policy and HTTP Authentication Bjoern Hoehrmann