Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

Ted Hardie <ted.ietf@gmail.com> Sat, 23 July 2011 18:41 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A19B21F853E; Sat, 23 Jul 2011 11:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2CQ8g5mZ6JL9; Sat, 23 Jul 2011 11:41:13 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6993221F851F; Sat, 23 Jul 2011 11:41:13 -0700 (PDT)
Received: by gxk19 with SMTP id 19so1990689gxk.31 for <multiple recipients>; Sat, 23 Jul 2011 11:41:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gKEgMZCQZIIashkFB7RYuxtciCVX5noWnZ2+uFRJBDI=; b=EUGlxKGtxlQTFgaZh93yLPkEFQcgl/VhqgaWKw4SWpcFVUzNZv3MGADBM2zkN97SlB zDmYMlY86/k6Gc67VUPri9/D4uKrjpb1PUoqKKVY2Qsv2J6UxrknFYifJF3Bjn+nFPTK fFs9uFULjqQubuSK25twyDpT+ppeL/pZakeU8=
MIME-Version: 1.0
Received: by 10.236.184.33 with SMTP id r21mr3869625yhm.11.1311446471907; Sat, 23 Jul 2011 11:41:11 -0700 (PDT)
Received: by 10.236.105.133 with HTTP; Sat, 23 Jul 2011 11:41:11 -0700 (PDT)
In-Reply-To: <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
References: <20110711140229.17432.23519.idtracker@ietfa.amsl.com> <CALiegfk0zVVRBbOP4ugsVXKmcLnryujP6DZqF6Bu_dC2C3PpeQ@mail.gmail.com> <9031.1311082001.631622@puncture> <CALiegfk_GLAhAf=yEe6hYw2bwtxEwg9aJN+f0Bm9he5QgsRavA@mail.gmail.com> <CAP992=Ft6NwG+rbcuWUP0npwVNHY_znHmXmznBQO_krMo3RT6g@mail.gmail.com> <CALiegfmTWMP3GhS1-k2aoHHXkUkB+eWqV=2+BufuWVR1s2Z-EA@mail.gmail.com> <20110721163910.GA16854@1wt.eu> <CAP992=FrX5VxP2o0JLNoJs8nXXba7wbZ6RN9wBUYC0ZSN_wbAg@mail.gmail.com> <9031.1311270000.588511@puncture> <CALiegf=pYzybvc7WB2QfPg6FKrhLxgzHuP-DpuuMfZYJV6Z7FQ@mail.gmail.com> <CAP992=FJymFPKcPVWrF-LkcEtNUz=Kt9L_ex+kLtjiGjL1T46w@mail.gmail.com> <4E28A51F.4020704@callenish.com> <9031.1311286867.939466@puncture> <4E28BA9D.6010501@callenish.com> <CAP992=GedTEfimykCWwdwm=BsZdwFRJO36EO0a_o7iejURJ+tQ@mail.gmail.com> <9031.1311328519.488604@puncture> <CAP992=GuGMB7e=skLnW=gjQU0rnbh2BD2A_bRyy3Fkrphmj=VQ@mail.gmail.com> <CAP992=FCQ4uLBw5RWsBjEy-ayZDKkzs4A3j4U37x1n=ZNbwb1A@mail.gmail.com>
Date: Sat, 23 Jul 2011 14:41:11 -0400
Message-ID: <CA+9kkMBE9b=K13rJ7wTkk0V6fx5q9z7X5eVoak1_=DYT4JxYKQ@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
To: David Endicott <dendicott@gmail.com>
Content-Type: multipart/alternative; boundary="20cf305b0a5e1999f804a8c0edb5"
X-Mailman-Approved-At: Sat, 23 Jul 2011 11:45:18 -0700
Cc: Server-Initiated HTTP <hybi@ietf.org>, IETF-Discussion <ietf@ietf.org>
Subject: Re: [hybi] Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2011 18:41:14 -0000

On Fri, Jul 22, 2011 at 9:47 AM, David Endicott <dendicott@gmail.com> wrote:

>
> Actually....I wasn't talking about the Host: header - that is totally
> spoofable...I was concerned about:
>
> 1. Browser client resolves example.com via old style DNS to x.x.x.x and
> fetches HTTP
> 2. Received HTML starts JS which starts WS connection
> 3. WS resolves example.com via DNS SRV to y.y.y.y and opens
> 4. WS now has access outside origin.
>
> Please note, I did not specify why DNS SRV resolved differently than old
> style DNS - could be malicious, could be an simple mistake.     I am
> assuming the DNS SRV and old DNS might be answered from different servers.
>
>
You definitely could set it up such that the results from an SRV lookup
points to a different server than that resulting from a lookup of AAAA or A;
that's kind of the point.  The SRV lookup is to a service within the
original domain, but the resulting looking up could have results outside it.
 To go back to Dave Cridland's example, you can see that the result of the
SRV is another name requiring lookup.

;; ANSWER SECTION:
_xmpp-server._tcp.gmail.com. 26125 IN   SRV     5 0 5269
xmpp-server.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN   SRV     20 0 5269
xmpp-server1.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN   SRV     20 0 5269
xmpp-server2.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN   SRV     20 0 5269
xmpp-server3.l.google.com.
_xmpp-server._tcp.gmail.com. 26125 IN   SRV     20 0 5269
xmpp-server4.l.google.com.

You'd have to avoid the results triggering the antibodies to a cross-site
scripting attack in order to deploy this well, in my opinion.

regards,

Ted



Do browsers restrict origin / cross-site access based on name or on address?
>
>
>
>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
>
>