IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

John Kemp <john@jkemp.net> Tue, 22 February 2011 02:29 UTC

Return-Path: <john@jkemp.net>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 935AA3A67E5 for <websec@core3.amsl.com>; Mon, 21 Feb 2011 18:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DK6qdekb5K7F for <websec@core3.amsl.com>; Mon, 21 Feb 2011 18:29:37 -0800 (PST)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com [67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id 3B1E93A67D7 for <websec@ietf.org>; Mon, 21 Feb 2011 18:29:37 -0800 (PST)
Received: (qmail 7915 invoked by uid 0); 22 Feb 2011 02:30:20 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by cpoproxy2.bluehost.com with SMTP; 22 Feb 2011 02:30:20 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=jkemp.net; h=Received:Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-Identified-User; b=UlYEkGy/M9ZXw6wryMP8lImgFGveNsPMq2Zq9o1CgLIddLxN3RAP+cYqO2thPDGrHkgnAaTNmbC0ulkBXqhi7vNklO+P0lcKq46yGnK97FqI8mkZF4/7sUWMooVd2QY8;
Received: from cpe-67-252-42-129.nycap.res.rr.com ([67.252.42.129] helo=[192.168.1.102]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <john@jkemp.net>) id 1Pri15-0005GF-Lx; Mon, 21 Feb 2011 19:30:20 -0700
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: John Kemp <john@jkemp.net>
In-Reply-To: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com>
Date: Mon, 21 Feb 2011 21:30:17 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FCE57FD-F60A-4BF0-B96A-37980AD192B0@jkemp.net>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
X-Mailer: Apple Mail (2.1082)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 67.252.42.129 authed with john+jkemp.net}
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2011 02:29:39 -0000

Hi Adam,

On Feb 21, 2011, at 5:10 PM, Adam Barth wrote:

> Pursuant to the charter, I've posted an informational draft that
> "describes the same-origin security model overall:"
> 
> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt
> 
> I don't expect this document to be very controversial.  I'm sure folks
> will nitpick me over renaming URL to URI and MIME types to media
> types, however.  :)
> 
> Feedback welcome.

Some feedback which does not nitpick about your usage of URL or MIME:

i) Introduction

   * What is the "web platform", for the purposes of this discussion?

i) Section 2. 'Trust': 

   * Is trust always specified by URL? Who is the trust specified by, and to whom is it granted? 
   * What do you consider to be a "user agent" - do you mean a Web browser, or the larger class of things which have often been called user agents? Wikipedia, for example (http://en.wikipedia.org/wiki/User_agent) mentions search engine crawlers and screen readers. Is 'curl' a user agent for the purposes of your statements about what a user agent does when accessing a script? Is the content at the URL always "executed" by the user agent?
   * You mention the term 'principal' - ('principals export data to URLs') - do you mean "security principal", or "user", and are they always synonymous? 

ii) 2.1 Pitfalls

   * Is your only "pitfall" that someone might use the http URI scheme for both TLS and non-TLS protected resources? Might there not be other important trust distinctions visible in URLs? Perhaps some examples of distinguishing trust via URLs would be helpful here?

iii) 3. Origin

   * Some user agents do already treat each URL as a separate principal (at least in my understanding of a user agent)
   * Might be worth referencing the definition of origin as scheme, host and port

iv) 4. Authority

   * You mention serving content as image/png instead of text/html - why not recommend either to serve the content without a Content-type header at all (as suggested by the W3C TAG finding on authoritative metadata - http://www.w3.org/2001/tag/doc/mime-respect) and have recipients follow your content sniffing algorithm (for example), or serve the content as 'application/octet-stream'?
   * In general, what is the relationship between your content sniffing draft and this section on authority-as-conveyed-by-MIME-type?
   * How is the amount of authority designated? What constitutes full (or partial) authority? 

v) 5. Policy

   * Is it worth mentioning iframes and the iframe sandbox attribute here, in relation to scripts accessing objects belonging to the parent document?
   * You mention that blocking cross-origin requests would prevent users from following hyperlinks (and that this is core to web architecture). This highlighted (to me at least) that trust in URLs is *not* always origin-based. A user may trust content from multiple origins, and compose a page which contains such content.  
   * To whom is the "value proposition high enough" in making a cross-origin request? 
   * Can you explain, or provide an example, that illustrates your discussion about granting a privilege to one document and withholding it from another, even though this document is from the same origin? 

vi) 6. Conclusion

   * I find it hard to believe that all trust relationships on the Web are designated via URLs, and that all security policy is associated with origins. Certainly it is one usable model, but there are others (you mention one yourself - "user agents could treat every URL as a separate principal") Although the title of this document is 'Principles of the Same-Origin Policy', you have partially described a security model of the web based in origin. It feels as if you should either restrict this document to talk only about origin-based security policy, or more fully describe the web security model to which you allude. Do screen readers, crawlers and curl/wget fit into that model?

Regards,

- John

> 
> Adam
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.43.4 | Report a Bug | By Email | System Status