[websec] Fwd: I-D Action: draft-nir-websec-extended-origin-00.txt

Yoav Nir <ynir@checkpoint.com> Thu, 02 February 2012 22:54 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1002F21F8655 for <websec@ietfa.amsl.com>; Thu, 2 Feb 2012 14:54:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.457
X-Spam-Level:
X-Spam-Status: No, score=-10.457 tagged_above=-999 required=5 tests=[AWL=0.141, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P+ojR53t0ngU for <websec@ietfa.amsl.com>; Thu, 2 Feb 2012 14:54:43 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 305D121F8650 for <websec@ietf.org>; Thu, 2 Feb 2012 14:54:41 -0800 (PST)
X-CheckPoint: {4F2B10D0-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q12Mse89029860 for <websec@ietf.org>; Fri, 3 Feb 2012 00:54:40 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 3 Feb 2012 00:54:40 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Fri, 3 Feb 2012 00:54:39 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Date: Fri, 03 Feb 2012 00:54:39 +0200
Thread-Topic: I-D Action: draft-nir-websec-extended-origin-00.txt
Thread-Index: Aczh/aUIQO/LIhDuQAuf+kjfsK/BIA==
Message-ID: <C35E9FBD-8AF7-4F63-B798-1316B985E032@checkpoint.com>
References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_C35E9FBD8AF74F63B7981316B985E032checkpointcom_"
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Subject: [websec] Fwd: I-D Action: draft-nir-websec-extended-origin-00.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2012 22:54:44 -0000

Hi

I have just submitted this draft. The purpose of this is to address the case where a single portal hides several real servers behind it, by translating their URLs into URL that seem to be from that server.

In that case the same origin policy is not enforced correctly, because cookies and scripts from one server behind the portal (for example, a mail server) can be shared and can affect pages form another server behind the same portal.

This draft proposes a header that will tell the client (browser) what the real origin is, and allow the client to apply the SOP.

If people find this interesting, I would like to discuss this in Paris. Any comments will be greatly appreciated.

Yoav

Begin forwarded message:

From: "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Subject: I-D Action: draft-nir-websec-extended-origin-00.txt
Date: February 3, 2012 12:00:21 AM GMT+02:00
To: "i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>" <i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>>
Reply-To: "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>


A New Internet-Draft is available from the on-line Internet-Drafts directories.

Title           : A More Granular Web Origin Concept
Author(s)       : Yoav Nir
Filename        : draft-nir-websec-extended-origin-00.txt
Pages           : 8
Date            : 2012-02-02

  This document defines an HTTP header that allows to partition a
  single origin as defined in RFC 6454 into multiple origins, so that
  the same origin policy applies among them.

  The header introduced in this document allows the portal to specify
  that resources that appear to be from the same origin should, in
  fact, be treated as though they are from different origins, by
  extending the 3-tuple of the origin to a 4-tuple.  The user agent is
  expected to apply the same-origin policy according to the 4-tuple
  rather than the 3-tuple.


A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

This Internet-Draft can be retrieved at:
ftp://ftp.ietf.org/internet-drafts/draft-nir-websec-extended-origin-00.txt