Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15
Adam Barth <ietf@adambarth.com> Fri, 26 August 2011 09:04 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A7821F89BA for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 02:04:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.182
X-Spam-Level:
X-Spam-Status: No, score=-3.182 tagged_above=-999 required=5 tests=[AWL=-0.205, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id svWysfTwZOnP for <websec@ietfa.amsl.com>; Fri, 26 Aug 2011 02:04:10 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id DCEED21F886F for <websec@ietf.org>; Fri, 26 Aug 2011 02:04:09 -0700 (PDT)
Received: by vxi29 with SMTP id 29so3016724vxi.31 for <websec@ietf.org>; Fri, 26 Aug 2011 02:05:25 -0700 (PDT)
Received: by 10.52.115.226 with SMTP id jr2mr756904vdb.408.1314349525295; Fri, 26 Aug 2011 02:05:25 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by mx.google.com with ESMTPS id 3sm646890vcu.16.2011.08.26.02.05.24 (version=SSLv3 cipher=OTHER); Fri, 26 Aug 2011 02:05:25 -0700 (PDT)
Received: by qwc23 with SMTP id 23so2234900qwc.31 for <websec@ietf.org>; Fri, 26 Aug 2011 02:05:24 -0700 (PDT)
Received: by 10.43.133.70 with SMTP id hx6mr938323icc.134.1314349524096; Fri, 26 Aug 2011 02:05:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.208.69 with HTTP; Fri, 26 Aug 2011 02:04:54 -0700 (PDT)
In-Reply-To: <4E575E3C.4020801@gmx.de>
References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <CAJE5ia8WQaF2KVrQY+AB=dF3Zwe-J4WgAHz3GRmDaurLR_gCuQ@mail.gmail.com> <4E573FF2.5000203@gmx.de> <CAJE5ia9epvih+45X=4x70_E7-q+d8FWDdd7gnX4=7c9aFed5Rg@mail.gmail.com> <4E575475.30609@gmx.de> <CAJE5ia8i_tFfm1PoTpu74Op7DXxbKRQDa8hHuG2ke_1yYUxTcw@mail.gmail.com> <4E575E3C.4020801@gmx.de>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 26 Aug 2011 02:04:54 -0700
Message-ID: <CAJE5ia9GZFg8CX9fKvvckA23HLA0dxx5e76-md6PNDspgwe1eA@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: websec <websec@ietf.org>
Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 09:04:11 -0000
On Fri, Aug 26, 2011 at 1:50 AM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2011-08-26 10:12, Adam Barth wrote: >> >> [-public-web-security, to avoid cross-posting too much] >> >> On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke<julian.reschke@gmx.de> >> wrote: >>> >>> On 2011-08-26 09:58, Adam Barth wrote: >>>> >>>> ... >>>> That could well be important if the Origin header is used in other >>>> protocols, such as CORS. Would you recommend requiring the first or >>>> the last instance? >>>> ... >>> >>> (cc'ing the IETF WG; I was replying to the wrong email thread) >>> >>> I think the right thing to do would be to recommend one of: >>> >>> - treat the message as invalid, or >>> >>> - ignore the header field (whatever that means...). >>> >>> Picking one of the two seems to be the wrong approach. >> >> Ok. Maybe the best solution is to treat the header as if it contained >> the value "null", which basically means the server doesn't know which >> origin sent the message. That what we recommend user agents do when >> they get confused about what value to put in the header. >> ... > > It just occurred to me that this will be hard to do in some cases. > > Intermediaries/middleware/libraries are allowed to collapse multiple headers > into a single one, so > > Origin: http://example.com > Origin: b > > would be combined to > > Origin: http://example.com,b > > The "," is allowed in reg-name, so you can't detect this as invalid. Correct. That's why we forbid user agents from generating those requests. Adam
- [websec] WG Last Call on draft-ietf-websec-origin… Tobias Gondrom
- [websec] lower-casing in the idna-canonicalized h… Chris Weber
- Re: [websec] lower-casing in the idna-canonicaliz… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] WG Last Call on draft-ietf-websec-or… Gervase Markham
- Re: [websec] WG Last Call on draft-ietf-websec-or… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth
- Re: [websec] LC nits on draft-ietf-websec-origin-… Julian Reschke
- Re: [websec] LC nits on draft-ietf-websec-origin-… Adam Barth