IETF Logo Mail Archive

Re: [websec] Principles of the Same-Origin Policy

Adam Barth <ietf@adambarth.com> Sat, 28 May 2011 05:30 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4E9E0692 for <websec@ietfa.amsl.com>; Fri, 27 May 2011 22:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBQp46gt6czh for <websec@ietfa.amsl.com>; Fri, 27 May 2011 22:30:13 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7119CE068B for <websec@ietf.org>; Fri, 27 May 2011 22:30:13 -0700 (PDT)
Received: by gyf3 with SMTP id 3so1329847gyf.31 for <websec@ietf.org>; Fri, 27 May 2011 22:30:12 -0700 (PDT)
Received: by 10.90.126.17 with SMTP id y17mr2749471agc.64.1306560612711; Fri, 27 May 2011 22:30:12 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id j3sm1842479anm.13.2011.05.27.22.30.11 (version=SSLv3 cipher=OTHER); Fri, 27 May 2011 22:30:11 -0700 (PDT)
Received: by yxk30 with SMTP id 30so1324169yxk.31 for <websec@ietf.org>; Fri, 27 May 2011 22:30:11 -0700 (PDT)
Received: by 10.91.181.17 with SMTP id i17mr2720464agp.124.1306560611071; Fri, 27 May 2011 22:30:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.35.6 with HTTP; Fri, 27 May 2011 22:29:41 -0700 (PDT)
In-Reply-To: <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 27 May 2011 22:29:41 -0700
Message-ID: <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 May 2011 05:30:14 -0000

On Fri, May 27, 2011 at 10:24 PM, Mark Nottingham <mnot@mnot.net> wrote:
> A bit late to the party, but FWIW I like this document.

Thanks.  Not too late.  I've got the doc open in my editor as we speak.  :)

> It brings two questions to mind, however:
>
> * Currently, HTTPbis ticket 270 [1] moves the details of the Upgrade process in HTTP to p2-semantics [2], which "updates" (not obsoletes) RFC2817 [3], the definition of how to upgrade to TLS within HTTP/1.1 (i.e., without changing the scheme). I'm wondering if a stronger statement needs to be made; e.g., obsoleting 2817, or marking it historic. It may also be worth mentioning in your draft as a bad practice.

Yeah, it's probably not intuitive why this causes security problems.

> * It doesn't mention CORS [4], which is a *much* more fine-grained (and as I've said many times, undesirably chatty) definition of a trust domain. Shouldn't there be some guidance the relationship between these different concepts, when it's appropriate ot use them, etc?

There's a whole topic of controlled interaction between principals
(e.g., CORS, postMessage).  That's certainly important stuff, but I'm
not clear to me how to says something helpful about it compactly.  In
some sense, it's "a layer above" in that it builds on top of these
concepts. I'll find a way to add something in the network access
section about opting into more sharing (e.g., CORS).

Thanks!
Adam


> 1. <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/240>
> 2. <http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-14>
> 3. <http://www.ietf.org/rfc/rfc2817.txt>
> 4. <http://www.w3.org/TR/cors/>
>
>
> On 22/02/2011, at 9:10 AM, Adam Barth wrote:
>
>> Pursuant to the charter, I've posted an informational draft that
>> "describes the same-origin security model overall:"
>>
>> http://www.ietf.org/id/draft-abarth-principles-of-origin-00.txt
>>
>> I don't expect this document to be very controversial.  I'm sure folks
>> will nitpick me over renaming URL to URI and MIME types to media
>> types, however.  :)
>>
>> Feedback welcome.
>>
>> Adam
>> _______________________________________________
>> websec mailing list
>> websec@ietf.org
>> https://www.ietf.org/mailman/listinfo/websec
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>

v2.40.3 | Report a Bug | By Email | System Status