Re: [hybi] Concerns about Origin
Zhong Yu <zhong.j.yu@gmail.com> Mon, 22 November 2010 18:45 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC6AB3A6A2A for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 10:45:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.116
X-Spam-Level:
X-Spam-Status: No, score=-2.116 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_00=-2.599, J_CHICKENPOX_62=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttgAmvcAgaFe for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 10:45:59 -0800 (PST)
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) by core3.amsl.com (Postfix) with ESMTP id E3E943A6AD2 for <hybi@ietf.org>; Mon, 22 Nov 2010 10:45:58 -0800 (PST)
Received: by pvc21 with SMTP id 21so1968584pvc.31 for <hybi@ietf.org>; Mon, 22 Nov 2010 10:46:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=3Tm2//sXZlB+euL20aSYkOZvlDynx5pCQnUHSwcozhU=; b=qli3PArWt91SbEcm/NF9GbzVeKjCwuFwLXH8zkVkNZnaegqMsb7GUYJF39Ts6/HHqw uhdqJuxgQXgh2J4T0n0IeT3QcohFqvbzAcsDGVGg+oq1540kp5Ln11WNYaENFLDEAWFU G17QiFHjCy6RcyL+y78T/3CxajdZmmKdaIvWY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=VbVaTA2qRztvg/Y8PBonSfZvtA7bp0uVo3RCNUFdRKzOveOxhRVJSnHYxrGPBEs50J HqgXGb1YtAQBWDozrJcipVrxyX5RVVQxoBewDyzSSv6ApERF8FE0kGanjQtHHh1jrbp9 q+xwbXyPwLZ+fIVk6fXMy68mhiMJK+LNufmeU=
MIME-Version: 1.0
Received: by 10.229.248.142 with SMTP id mg14mr691986qcb.26.1290451614137; Mon, 22 Nov 2010 10:46:54 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Mon, 22 Nov 2010 10:46:53 -0800 (PST)
In-Reply-To: <op.vmky62ixidj3kv@dhcp-190.linkoping.osa>
References: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local> <AANLkTi=hVXa1yFbLr-pRS25gA2F__X3bM9w08O99my6s@mail.gmail.com> <op.vmky62ixidj3kv@dhcp-190.linkoping.osa>
Date: Mon, 22 Nov 2010 12:46:53 -0600
Message-ID: <AANLkTimij_Ad-wdH2W95om1mwwQq3Ld7XtZZixAJPwmR@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Simon Pieters <simonp@opera.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Concerns about Origin
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 18:46:00 -0000
On Mon, Nov 22, 2010 at 10:38 AM, Simon Pieters <simonp@opera.com> wrote: > On Mon, 22 Nov 2010 17:07:46 +0100, Zhong Yu <zhong.j.yu@gmail.com> wrote: > >> I agree. The spec should *require* servers to actively check Origin >> and reject handshake immediately if Origin isn't accepted, instead of >> allowing servers to defer that logic to clients. > > If the server has a hardcoded Sec-WebSocket-Origin value, I have no problem > with relying on the client checking that it matches what it sent. In that case, how hard is it to match the single hardcoded Origin with the single Origin the client sent? Why do we even give the server a choice here? > My problem > is with servers just echoing the Origin and the app writer has no idea that > it allows connections from anywhere. > >> APIs for server apps should have a hook to the handshake event, so >> that apps can participate in the handshake. Apps have an opportunity >> here to check Origin, set cookies, etc. per connection. > > pywebsocket allows apps to do extra checks in the handshake, but I'd like to > take a step further and make the origin choice a required step for the app > writer. > > >> "Same origin" policy probably would be the most popular/default >> policy. A simple and safe way to implement that on server side is to >> match "Origin" with "Host" header(or the host part of the ws resource >> URI). > > Host only carries domain and port, not the protocol, and the port for the > websocket connection can very well be different than the port of the page > you expect a connection from... > Sure. But the policy of "Origin=Host" probably will work for most deployments, therefore it's not a bad choice for default. Given that it is safe. > >> That is safe if we assume that all pages on the Host can be trusted. >> Cookies don't assume that, they have an additional "path" restriction. > > The "path" feature for cookies do not help anything with security, since the > same-origin-policy allows you to open an iframe within the same origin and > eat all the cookies. That's interesting. Can you give me a link? > >> If a WS app is as paranoid, currently it doesn't have a way to know on >> which page specifically the connection is made. > > That is by design, so that people don't fall into the cookie "path" trap and > think they're safe when they're not. > > >> The app can add its >> own anti XSRF measure like what we have to do for HTTP but that's not >> too easy. >> >> - Zhong Yu >> > > Cheers, > -- > Simon Pieters > Opera Software >
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Simon Pieters
- [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin John Tamplin
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Zhong Yu
- Re: [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin Simon Pieters
- Re: [hybi] Concerns about Origin Sylvain Hellegouarch