Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

Iñaki Baz Castillo <ibc@aliax.net> Sun, 24 July 2011 11:33 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F1821F84F6; Sun, 24 Jul 2011 04:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.664
X-Spam-Level:
X-Spam-Status: No, score=-2.664 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mfjj+8dMiy6q; Sun, 24 Jul 2011 04:33:14 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 48E9F21F8686; Sun, 24 Jul 2011 04:33:14 -0700 (PDT)
Received: by qwc23 with SMTP id 23so2675563qwc.31 for <multiple recipients>; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.105.95 with SMTP id s31mr2548960qco.228.1311507193354; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
Received: by 10.229.185.195 with HTTP; Sun, 24 Jul 2011 04:33:13 -0700 (PDT)
In-Reply-To: <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
References: <20110711140229.17432.23519.idtracker@ietfa.amsl.com> <CALiegfk0zVVRBbOP4ugsVXKmcLnryujP6DZqF6Bu_dC2C3PpeQ@mail.gmail.com> <9031.1311082001.631622@puncture> <CALiegfk_GLAhAf=yEe6hYw2bwtxEwg9aJN+f0Bm9he5QgsRavA@mail.gmail.com> <CAP992=Ft6NwG+rbcuWUP0npwVNHY_znHmXmznBQO_krMo3RT6g@mail.gmail.com> <CALiegfmTWMP3GhS1-k2aoHHXkUkB+eWqV=2+BufuWVR1s2Z-EA@mail.gmail.com> <20110721163910.GA16854@1wt.eu> <CAP992=FrX5VxP2o0JLNoJs8nXXba7wbZ6RN9wBUYC0ZSN_wbAg@mail.gmail.com> <9031.1311270000.588511@puncture> <CALiegf=pYzybvc7WB2QfPg6FKrhLxgzHuP-DpuuMfZYJV6Z7FQ@mail.gmail.com> <CAP992=FJymFPKcPVWrF-LkcEtNUz=Kt9L_ex+kLtjiGjL1T46w@mail.gmail.com> <4E28A51F.4020704@callenish.com> <9031.1311286867.939466@puncture> <4E28BA9D.6010501@callenish.com> <CAP992=GedTEfimykCWwdwm=BsZdwFRJO36EO0a_o7iejURJ+tQ@mail.gmail.com> <9031.1311328519.488604@puncture> <CAP992=GuGMB7e=skLnW=gjQU0rnbh2BD2A_bRyy3Fkrphmj=VQ@mail.gmail.com> <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
Date: Sun, 24 Jul 2011 13:33:13 +0200
Message-ID: <CALiegfnftFGgLOs2ukk1JOFpnJHn06HBunuXaPz9N03UJb+6+w@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: David Endicott <dendicott@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Server-Initiated HTTP <hybi@ietf.org>, IETF-Discussion <ietf@ietf.org>
Subject: Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2011 11:33:15 -0000

2011/7/22 David Endicott <dendicott@gmail.com>:
> Actually....I wasn't talking about the Host: header - that is totally
> spoofable...I was concerned about:
> 1. Browser client resolves example.com via old style DNS to x.x.x.x and
> fetches HTTP
> 2. Received HTML starts JS which starts WS connection
> 3. WS resolves example.com via DNS SRV to y.y.y.y and opens
> 4. WS now has access outside origin.
> Please note, I did not specify why DNS SRV resolved differently than old
> style DNS - could be malicious, could be an simple mistake.     I am
> assuming the DNS SRV and old DNS might be answered from different servers.
> Do browsers restrict origin / cross-site access based on name or on address?


Now I assume that there is no SRV stuff at all:

1. Browser client resolves example.com via old style DNS to x.x.x.x and
fetches HTTP.

2. Received HTML contains a JS with a WS URI "ws://other-domain.net".

3. WS resolves other-domain.ne via old style DNS to z.z.z.z and opens.

4. WS now has access outside origin.


Is there any spec in which it's said that the WS URI must point to the
same domain as the initial web page?

NOTE: Anyhow, in the case of DNS SRV such domain can be the same. My
example above is just another.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>