Re: [websec] Principles of the Same-Origin Policy
Chris Weber <chris@lookout.net> Sat, 28 May 2011 16:02 UTC
Return-Path: <chris@lookout.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD19E06BC for <websec@ietfa.amsl.com>; Sat, 28 May 2011 09:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drZkOs68bYM8 for <websec@ietfa.amsl.com>; Sat, 28 May 2011 09:02:16 -0700 (PDT)
Received: from cl38.gs02.gridserver.com (cl38.gs02.gridserver.com [64.13.232.47]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE94E0664 for <websec@ietf.org>; Sat, 28 May 2011 09:02:15 -0700 (PDT)
Received: from c-71-231-104-2.hsd1.wa.comcast.net ([71.231.104.2]:40006 helo=[192.168.1.112]) by cl38.gs02.gridserver.com with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.69) (envelope-from <chris@lookout.net>) id 1QQLxu-0000pg-Er; Sat, 28 May 2011 09:02:15 -0700
Message-ID: <4DE11C88.2090409@lookout.net>
Date: Sat, 28 May 2011 09:02:16 -0700
From: Chris Weber <chris@lookout.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <AANLkTi=nCJSC2ZpY6R_NPJUjODAgiYcRSZTaSxWr8+Fz@mail.gmail.com> <D1D3A6C4-6A29-40AA-8AB2-F69873BD745E@mnot.net> <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com>
In-Reply-To: <BANLkTikVCVex5ibzM8EgVWHfC7C6Pu4G3A@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated-User: 17546 chris@lookout.net
Cc: websec <websec@ietf.org>
Subject: Re: [websec] Principles of the Same-Origin Policy
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 May 2011 16:02:16 -0000
Some minor suggestions on section "5.2. Network Access".
"Access to network resources varies depending on whether the resources
are in the same origin as the document attempting to access them.
Generally, reading information from another origin is forbidden."
Based on the generality of the content that is allowed - images, script,
style sheets, it almost seems that the above sentence could be reversed
to say that "Generally, reading information from another origin is
allowed." Otherwise, you could further demonstrate some of the cases
where it is generally forbidden, such as with XmlHttpRequest.
"However, a document is permitted use some kinds of resources
retrieved from other origins. For example, a document is permitted
to execute script, render images, and apply style sheets from any
origin. Likewise, a document can display a document from another
origin in a frame."
The notion of displaying a document in a frame may be misleading in the
context of this paragraph, given that the other examples grant full
access to the creator document's DOM, while the document in the frame
does not.
"Generally, sending information to another origin is permitted.
However, sending information over the network in arbitrary formats is
dangerous. For this reason, user agents restrict documents to
sending information using particular protocols, such as in an HTTP
request without custom headers."
I'm feeling a bit hungry here, can you provide some more food for
thought? Some simple examples may help. I'm thinking of HTML's
postMessage interface and HTML forms.
Best regards,
Chris Weber
- [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy John Kemp
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Peter Saint-Andre
- [websec] Reviews of draft-ietf-websec-origin and … Tobias Gondrom
- [websec] Comments on draft-abarth-principles-of-o… Julian Reschke
- Re: [websec] Principles of the Same-Origin Policy Mark Nottingham
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Principles of the Same-Origin Policy Chris Weber
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Principles of the Same-Origin Policy Adam Barth
- Re: [websec] Comments on draft-abarth-principles-… Julian Reschke
- Re: [websec] Comments on draft-abarth-principles-… Adam Barth
- Re: [websec] Principles of the Same-Origin Policy =JeffH
- Re: [websec] Principles of the Same-Origin Policy Adam Barth