IETF Logo Mail Archive

Re: [websec] Same Origins and email

Adam Barth <ietf@adambarth.com> Mon, 12 December 2011 19:35 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89DAF21F8B00 for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 11:35:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Am68AY8nVh2L for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 11:35:45 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1072D21F8AFF for <websec@ietf.org>; Mon, 12 Dec 2011 11:35:44 -0800 (PST)
Received: by qadb15 with SMTP id b15so3247757qad.10 for <websec@ietf.org>; Mon, 12 Dec 2011 11:35:44 -0800 (PST)
Received: by 10.50.184.168 with SMTP id ev8mr16683282igc.62.1323718544278; Mon, 12 Dec 2011 11:35:44 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id j3sm54463914ibj.1.2011.12.12.11.35.43 (version=SSLv3 cipher=OTHER); Mon, 12 Dec 2011 11:35:43 -0800 (PST)
Received: by iaek3 with SMTP id k3so10783299iae.31 for <websec@ietf.org>; Mon, 12 Dec 2011 11:35:43 -0800 (PST)
Received: by 10.42.156.195 with SMTP id a3mr12927882icx.25.1323718543002; Mon, 12 Dec 2011 11:35:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.159.138 with HTTP; Mon, 12 Dec 2011 11:35:11 -0800 (PST)
In-Reply-To: <215EC5C2-A72E-461E-BF9E-1E291CDBD439@checkpoint.com>
References: <F5833273385BB34F99288B3648C4F06F19C6C15518@EXCH-C2.corp.cloudmark.com> <CAJE5ia8mDSjr6ww3uduUP_SQV2i9CB5cpuLDzL1tj8MvWb8PcA@mail.gmail.com> <F5833273385BB34F99288B3648C4F06F19C6C1551A@EXCH-C2.corp.cloudmark.com> <215EC5C2-A72E-461E-BF9E-1E291CDBD439@checkpoint.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 12 Dec 2011 11:35:11 -0800
Message-ID: <CAJE5ia-GTD2GPxJw0KhPUjQQ9_Bhc4B7of2FAecBt9nZiKP27g@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Same Origins and email
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 19:35:45 -0000

On Mon, Dec 12, 2011 at 11:25 AM, Yoav Nir <ynir@checkpoint.com> wrote:
> On Dec 12, 2011, at 9:13 PM, Murray S. Kucherawy wrote:
>>> -----Original Message-----
>>> From: Adam Barth [mailto:ietf@adambarth.com]
>>> Sent: Monday, December 12, 2011 11:09 AM
>>> To: Murray S. Kucherawy
>>> Cc: websec@ietf.org
>>> Subject: Re: [websec] Same Origins and email
>>>
>>> That depends on the MUA.  In Gmail, for example, the origin is
>>> https://mail.google.com.  It depends on the URL the MUA assigns to the
>>> HTML document contained in the email.
>>
>> What about something like Outlook or alpine, where we're not talking about a web-based MUA but one that pulls from a local store?
>
> file://localhost ?
>
> Although I think HTML you get through the mail should not be scripted by files on your computer, so maybe each mail item should have its own origin.

The questions you're asking don't really have universal answers.
These behaviors aren't standardized and so are likely to vary from MUA
to MUA.

Adam

v2.23.0 | Report a Bug | By Email