Re: [OAUTH-WG] Web apps BCP feedback
Neil Madden <neil.madden@forgerock.com> Sat, 25 September 2021 18:11 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739073A1D65 for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 11:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IZCSsyUMDNSA for <oauth@ietfa.amsl.com>; Sat, 25 Sep 2021 11:11:03 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24FB93A1D62 for <oauth@ietf.org>; Sat, 25 Sep 2021 11:11:02 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id w17so37488760wrv.10 for <oauth@ietf.org>; Sat, 25 Sep 2021 11:11:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=zIXGhMRbLkdQfmH6HnLevzdeo5jtY1K1Xck/RuWj+xc=; b=W0dWZHzsRQnF19Inzl1c3EMAh8o/Oe0EBxkxmFXBfvVQe1pFIhcKXLPsR12/d1SF2L ZHsX7Y5Ac+Yr4Y2vvG3LDyJ12aW6czM7twc9QwBO3JVyDEfUI22eBjTbXDASHisoPINy gLqSNMxCJ4eU0IY0+HIIAgJMcDwXWpIxnP2ZM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=zIXGhMRbLkdQfmH6HnLevzdeo5jtY1K1Xck/RuWj+xc=; b=pINk0gFKnP7gGD51dHtF2tquxzELwzpP2xsv7PJFJTSjjeHj7pfVT42k6t3gbkRc1P XadmJFRwLbcuRqfbxx+r2V3UMLswXnIrOD3Nn2JAIvQ3PqBzAHTJ/d60c4JOtvUfA1E0 aktH+889EAudIXTuywqz16L9WAV9pC9vYSFB7lXHntaMfxXoqqV7zgEWFpkGV1DUEzdS aDeLohLl3Lwu11Fz6/T9daIv997167VIMhd77nk0GgOPm2rBMqj4gTmXbDs7eKjenhxd YKwQyWq+2/jDa+LRb3U17oEo3PvbaNkDAVim2Y9Lj8t93KRuDcaypH/93lKjv3pXcUTg oACA==
X-Gm-Message-State: AOAM531ka4Q/uOk3Hr57GpDRHjkep/B9ag67UmLTCvlAbjUsBUSO2Okk FPg8Zgc9LuHKKvQ2c4ek8HGlOtLrzuuaTxHA2MB+zfkN+dTEFN9niNRh9VAu7c4SPu8io10qPA= =
X-Google-Smtp-Source: ABdhPJwQ8y9s1mzQ1PE5nUcAD8wYMhpsT8ExrQ0SY+NPF+/EK05yuwfEssGKPEUcJ1xE3PBGNjvn3g==
X-Received: by 2002:a05:6000:104e:: with SMTP id c14mr18581085wrx.130.1632593460311; Sat, 25 Sep 2021 11:11:00 -0700 (PDT)
Received: from smtpclient.apple (152.249.143.150.dyn.plus.net. [150.143.249.152]) by smtp.gmail.com with ESMTPSA id j27sm11767784wms.6.2021.09.25.11.10.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 25 Sep 2021 11:10:59 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 25 Sep 2021 19:10:58 +0100
Message-Id: <7306C2C0-DC84-4A0B-9344-EF238F6A7E44@forgerock.com>
References: <2EA892D6-D2F5-46AA-9B03-63F7AC4C5A69@manicode.com>
Cc: Dominick Baier <dbaier@leastprivilege.com>, oauth <oauth@ietf.org>
In-Reply-To: <2EA892D6-D2F5-46AA-9B03-63F7AC4C5A69@manicode.com>
To: Jim Manico <jim@manicode.com>
X-Mailer: iPhone Mail (18H17)
Content-Type: multipart/alternative; boundary="Apple-Mail-8B4DFE66-6EE9-4916-B807-AA7E67165274"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PWuoSh5MSKUhv8AsR3ju0fbpEY8>
Subject: Re: [OAUTH-WG] Web apps BCP feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2021 18:11:10 -0000
Technically yes, CSRF refers to cross-site attacks. However, there is a class of attacks that are cross-*origin* but not cross-site and which are otherwise identical to CSRF. SameSite doesn’t protect against these attacks but other traditional CSRF defences *do*. For example, synchronizer tokens in hidden form fields or even just requiring a custom header on requests both provide some protection against such attacks, as they both use mechanisms that are subject to the same origin policy rather than same-site. — Neil > On 25 Sep 2021, at 18:20, Jim Manico <jim@manicode.com> wrote: > > If someone has taken over a subdomain in the ways described, that is not cross site request forgery since the attack is occurring from within your site. It’s more likely XSS that allows for cookie clobbering or similar, or just malicious code injected by the malicious controller of your subdomain. This is not strictly CSRF nor are these problems protected from any other standard form of CSRF defense. > > CSRF is Cross Site attack where the attack is hosted on a different domain. > > -- > Jim Manico > >>> On Sep 25, 2021, at 1:07 AM, Dominick Baier <dbaier@leastprivilege.com> wrote: >>> >> >> In 6.1 it says >> >> "Additionally, the SameSite cookie attribute can be used to >> prevent CSRF attacks, or alternatively, the application and API could >> be written to use anti-CSRF tokens.” >> >> “Prevent” is a bit strong. >> >> SameSite only restricts cookies sent across site boundaries Iit does not prevent CSRF attacks from within a site boundary. Scenarios could be a compromised sub-domain, like sub-domain takeover or just some vulnerable application co-located on the same site. >> >> thanks >> ——— >> Dominick Baier >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/>
- [OAUTH-WG] Web apps BCP feedback Dominick Baier
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Philippe De Ryck
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Jim Manico
- Re: [OAUTH-WG] Web apps BCP feedback Neil Madden
- Re: [OAUTH-WG] Web apps BCP feedback Thomas Broyer