Re: Origin header in loading external scripts (ISSUE-63) from Adam Barth on 2009-01-26 (public-html@w3.org from January 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 26 Jan 2009 10:01:34 -0800
To: Thomas Broyer <t.broyer@gmail.com>
Cc: public-html <public-html@w3.org>
Message-ID: <7789133a0901261001tebdcf4jc495dc60dd8e5bc6@mail.gmail.com>

Wouldn't it be better for the <script> tag to understand CORS?  This
is a confidentiality issue, which is what CORS is aimed at.

Adam


On Mon, Jan 26, 2009 at 2:28 AM, Thomas Broyer <t.broyer@gmail.com> wrote:
>
> Hi all,
>
> Adam Barth said on the IETF HTTPbis list that other specs could define
> some additional constraints on when to send the Origin request header
> (e.g. CORS and/or HTML5), so I believe this is the right place for
> this:
>
> I've a few days ago found a CSRF vulnerability in a product due to
> exposing data as JSON and "JSON-P" (JavaScript, where the same JSON
> data is passed as an argument to a callback function), where the data
> is a "protected resource" (i.e. requires authentication). An attacker
> could then load the JSON-P "script" and process the data in its
> callback function by sending it back to its own server via
> XMLHTTPRequest (or another server via a hidden form); in this case it
> could have been for example the list of all the users of the
> application, along with their email address.
> I suggested them to only allow JSON-P on "public resources", but there
> might be legitimate use cases for allowing JSON-P on protected
> resources so this is not a real long-term solution (in this particular
> case, i.e. for this particular product, there would workarounds, i.e.
> some way to "opt in" exposing some data with JSON-P, but not
> selectively however, depending on the "origin document").
>
> I therefore suggest that HTML5 *requires* browsers to send the Origin
> request header on such GET requests (loading of external scripts),
> where the Origin I-D only has a "MAY" for safe methods.
> I don't think other kind of requests need to be addressed this way as
> this is the only case where an external resource is "imported" within
> the pages' "origin" (e.g. images keep their "origin" information that
> prevent them from being accessed after they've been painted onto a
> <canvas> [1]). Well, there might be CSS stylesheets too, but could
> they "leak information"?
>
> [1] http://dev.w3.org/html5/spec/Overview.html#security-with-canvas-elements
>
> --
> Thomas Broyer
>
>

Received on Monday, 26 January 2009 18:02:10 UTC