IETF Logo Mail Archive

Re: [hybi] Concerns about Origin

Zhong Yu <zhong.j.yu@gmail.com> Mon, 22 November 2010 16:06 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AC0F3A6A9B for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 08:06:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.112
X-Spam-Level:
X-Spam-Status: No, score=-2.112 tagged_above=-999 required=5 tests=[AWL=-0.113, BAYES_00=-2.599, J_CHICKENPOX_62=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qh5HoMOdLSNR for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 08:06:50 -0800 (PST)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by core3.amsl.com (Postfix) with ESMTP id C45E73A6A98 for <hybi@ietf.org>; Mon, 22 Nov 2010 08:06:50 -0800 (PST)
Received: by qyk11 with SMTP id 11so210368qyk.10 for <hybi@ietf.org>; Mon, 22 Nov 2010 08:07:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=5WXvxTW/7LOqGnGA9F17FwaqqnIL4g0uXRSyviRiNnM=; b=Stg6OgbbVEL7kLeVE3FdlaqdFX5jEyxXm22tu6Mzw5or10PUE8cyi3Kt28fYUwwc34 WGi01pRn3zXU+EIfPWiAxh/0OZt4PmbcDiR3jOpmi+Ph/e9MwHfGdhMvd7AHgibKJ4sW jYY1uvlcrcCOGn/R5522m0nBa9BUIs6UZ0THw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=KgcFRByGYpFEorOymfM3Q6JtD/3FJJfAGHVRMY2ifEakICxFpGghXBXBhycYID91lz Bk471ebMDlBWPRS6QYFCNBdg9VjU9qHMl58a9pLEdiwEiRNQr1PR27kNsZXYRNaCH0Vs 2CgSVB4UUMcTGcM7FklqxTEKVMXxDPjwUXrGk=
MIME-Version: 1.0
Received: by 10.224.218.200 with SMTP id hr8mr894126qab.37.1290442066071; Mon, 22 Nov 2010 08:07:46 -0800 (PST)
Received: by 10.220.189.136 with HTTP; Mon, 22 Nov 2010 08:07:46 -0800 (PST)
In-Reply-To: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local>
References: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local>
Date: Mon, 22 Nov 2010 10:07:46 -0600
Message-ID: <AANLkTi=hVXa1yFbLr-pRS25gA2F__X3bM9w08O99my6s@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Simon Pieters <simonp@opera.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Concerns about Origin
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 16:06:51 -0000

I agree. The spec should *require* servers to actively check Origin
and reject handshake immediately if Origin isn't accepted, instead of
allowing servers to defer that logic to clients.

APIs for server apps should have a hook to the handshake event, so
that apps can participate in the handshake. Apps have an opportunity
here to check Origin, set cookies, etc. per connection.

"Same origin" policy probably would be the most popular/default
policy. A simple and safe way to implement that on server side is to
match "Origin" with "Host" header(or the host part of the ws resource
URI).

That is safe if we assume that all pages on the Host can be trusted.
Cookies don't assume that, they have an additional "path" restriction.
If a WS app is as paranoid, currently it doesn't have a way to know on
which page specifically the connection is made. The app can add its
own anti XSRF measure like what we have to do for HTTP but that's not
too easy.

- Zhong Yu

v2.23.0 | Report a Bug | By Email