IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

Adam Barth <ietf@adambarth.com> Mon, 13 June 2011 17:58 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6032A11E80CE for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 10:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.56
X-Spam-Level:
X-Spam-Status: No, score=-3.56 tagged_above=-999 required=5 tests=[AWL=-0.583, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMuLzrHtYBb8 for <websec@ietfa.amsl.com>; Mon, 13 Jun 2011 10:58:55 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6122311E80AC for <websec@ietf.org>; Mon, 13 Jun 2011 10:58:55 -0700 (PDT)
Received: by gxk19 with SMTP id 19so4206015gxk.31 for <websec@ietf.org>; Mon, 13 Jun 2011 10:58:54 -0700 (PDT)
Received: by 10.236.79.134 with SMTP id i6mr978249yhe.75.1307987934746; Mon, 13 Jun 2011 10:58:54 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id w66sm2930392yhi.24.2011.06.13.10.58.53 (version=SSLv3 cipher=OTHER); Mon, 13 Jun 2011 10:58:53 -0700 (PDT)
Received: by yxt33 with SMTP id 33so867869yxt.31 for <websec@ietf.org>; Mon, 13 Jun 2011 10:58:53 -0700 (PDT)
Received: by 10.91.100.2 with SMTP id c2mr3234134agm.179.1307987933259; Mon, 13 Jun 2011 10:58:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.36.10 with HTTP; Mon, 13 Jun 2011 10:58:21 -0700 (PDT)
In-Reply-To: <4DE11C88.2090409@lookout.net>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net> <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com> <4DE11C88.2090409@lookout.net>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 13 Jun 2011 10:58:21 -0700
Message-ID: <BANLkTin0OZA7R-Mb0nAu+FsQWpnLeKjJkg@mail.gmail.com>
To: Chris Weber <chris@lookout.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 17:58:56 -0000

On Sat, May 28, 2011 at 9:02 AM, Chris Weber <chris@lookout.net> wrote:
> Some minor suggestions on section "5.2.  Network Access".
>
>   "Access to network resources varies depending on whether the resources
>   are in the same origin as the document attempting to access them.
>
>   Generally, reading information from another origin is forbidden."
>
> Based on the generality of the content that is allowed - images, script,
> style sheets, it almost seems that the above sentence could be reversed to
> say that "Generally, reading information from another origin is allowed."
>  Otherwise, you could further demonstrate some of the cases where it is
> generally forbidden, such as with XmlHttpRequest.

The general case is that it is forbidden.  It's only in the enumerated
special cases that it is allowed.  The number of enumerated cases
isn't related to what happens in the general case.

>   "However, a document is permitted use some kinds of resources
>   retrieved from other origins.  For example, a document is permitted
>   to execute script, render images, and apply style sheets from any
>   origin.  Likewise, a document can display a document from another
>   origin in a frame."
>
> The notion of displaying a document in a frame may be misleading in the
> context of this paragraph, given that the other examples grant full access
> to the creator document's DOM, while the document in the frame does not.

That's not accurate.  Rendering an image from another origin does not
grant fully access to the creator document's DOM, nor does applying
style sheets (in modern browsers).

>   "Generally, sending information to another origin is permitted.
>   However, sending information over the network in arbitrary formats is
>   dangerous.  For this reason, user agents restrict documents to
>   sending information using particular protocols, such as in an HTTP
>   request without custom headers."
>
> I'm feeling a bit hungry here, can you provide some more food for thought?
>  Some simple examples may help.  I'm thinking of HTML's postMessage
> interface and HTML forms.

I added a sentence about the recent issues with WebSockets expanding
the allowable set of things an origin can send.

Thanks!
Adam

v2.40.4 | Report a Bug | By Email | System Status