02 Jul 2008

See also: IRC log


arun, sicking, sunava, kriszyp, kris, MikeSmith




<chaalsXO> s/work?/work/

<chaalsXO> SD: * doesn't clearly say what it allows - everyone can access, or one person can access everything?

<chaalsXO> JS: Out of context yes, but it should be clear since everything about the spec clarifies it

<chaalsXO> SD: OK

<chaalsXO> JS: If we drop * with cookies then this might go away

<chaalsXO> JS: One big thing remaining is access control path canonicalisation

<chaalsXO> ... concern about granting by path - granting from one URI to cover a whole set...

<chaalsXO> EL: Flash had a problem doing this path-based granting. You can encode hex sequences for ../ and make path-matching security holes

<chaalsXO> .. e.g. /bad/visitor/* can be mapped to /bad/visitor/../../../../victim/secret...

<chaalsXO> JS: I don't knowif flash are doing anything to mitigate this.

<chaalsXO> ... have a proposal, where anything that climbs upwards gets auto-denied.

<chaalsXO> ... there are very few use cases for this.

<chaalsXO> EL: You have toensure that the servers accurately trap this correctly...

<chaalsXO> ... there are attacks based on gps in the normalisation process.

<chaalsXO> JS: Not happy just saying servers should solve this

<chaalsXO> IH: The only sane thing is to make this apply to the entire domain, as a waay to avoid the problem

<chaalsXO> JS: There is a risk with that where too much access is enabled ...

<chaalsXO> IH: The alternative is requiring a lot more pre-flight traffic

<chaalsXO> JS: I am happy leaving this out for now

<chaalsXO> IH: Could make sense

<chaalsXO> ZY: If the server relies on the preflight, you get a problem

<chaalsXO> JS: Right. But you should not be able to do that - an anyway the risk is bad enough to avoid anyway

<chaalsXO> MJS: Seems like a tricky space to get into. Maybe we should start out only allowing options on a single resource

<chaalsXO> DS: Would be good to note the rationale in the spec...

<chaalsXO> IH: The nasty case is atompub, where you have zillions of requests...

<chaalsXO> JS: We don't have a nice solution here. Setting it on the root seems bad too.

<chaalsXO> IH: I really want this feature, but I don't see a good way to do it and think we probaby have to punt it to v2

<chaalsXO> DS: Does that constrain us?

<sunava> http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html#policy_files

<chaalsXO> IH: No, we just have nothing and can add the feature

<chaalsXO> SD: You cn send stuff through headers to the PI?

<chaalsXO> EL: THink this issue is covered

<chaalsXO> ... related concern is the restriction of setting the range header outbound.

<chaalsXO> JS: right - I implemented something that would allow that exploit...

<chaalsXO> ... we could note in the spec that this is an implementation bug. I have smoe concerns about the PI, but that's for tomorrow...

<chaalsXO> ... possibly other headers have similar concerns

<chaalsXO> EL: Interesting because this is something that has a different effect in XS XHR than in local XHR

<chaalsXO> AvK: RANGE requires opt-in

<chaalsXO> JS: We couldwhite-list this. Watch for range...

<chaalsXO> AvK: Sounds messy to spec

<chaalsXO> JS: Sure, but we will have to point it out anyway...

<chaalsXO> AvK: Think you want to be able to see 206 responses...

<chaalsXO> IH: If you get a partial response, then if it doesn't start at byte 1, don't look at the PI

<chaalsXO> ... if we take PI out of the equation we may not need to worry.

<chaalsXO> AvK:Do we wnt to take headers in XBL?

<chaalsXO> IH: We keep it inAC, but special-case it out sometimes.

<chaalsXO> SD: Browsers could get header to identify x-domain cookies, not give them out mistkenly

<chaalsXO> JS: Any infastructure wouldstop working if it required new headers

<arun> scribenick: arun

SD: (citing Jonas' feedback) This is "extra bad" considering that you are violating the HTTP spec.

<chaalsXO> MJS: There are several cookie issues - good topic for tomorrow

JS: I think x-site request forgery issues that exist on the web today exist for very different reasons today.
... outside of Access Control.
... it is hard to mitigate it.
... I don't think that CRSF applies directly to this.

Bryan: I think that if we implement this exactly as you're saying, it will increase CSRF.
... it's not just that your'e sending an attack. Now you can process the response, and can take multiple steps on the response.
... what's possbie right now is you can send a request, but you can't really act on the response. If we go down this road (XHR2 + AC) it enables an attacker to set up a multistage send/process cycle, which is impossible today.

MJS: on the other hand, access control gives you mitigation mechanisms to check origin, etc.

JS: this is applicable to URIs where people specifically opt in to Access Control. You have a resource that accepts requests, but when they set up that resource, they didn't conceive that it could be accessed x-site.

MJS: you need 2 factors. 1. a process against CSRF but 2. opened up access control to site in a way you didn't intend to.
... those are certainly possible, but not likely scenario.

JS: Big risk -- sites do opt in to access control on parts of their URI space that they didn't mean to.

Bryan: difference of XDR is that sites aren't sending Cookies.

JS: mistakes can happen; what we can do is make tools good, language clear enough, do more fine-grained control. That's about all we can do. XDR does have a small risk, but it also supports a smaller feature set. No matter what we do to expand that feature set, we introduce mistakes.

Bryan: by increasing the scope of the functionality, we need to make an informed decision about [security issues].

SD: (citing Jonas' feedback) access control follows user agents privacy policies.
... which user agents?

JS: I think spec. text should reflect that user agents privacy policy should be followed.

SD: one more high level issue.... one was preflights. any more questions on preflights?

EL: In my opinion, virtually everything depends on the preflight. Sounds like making preflight more restrictive, etc., are [answered]. Responses to OPTIONS request are not cacheable.
... if am a server Fidelity with partner PayPal, response otherwise cacheable. Some intermediary proxy would cache that response. No preflight required. No actual concern here, unless Fidelity were to mistakenly overgrant permissions in headers. Server that chooses to participate in OPTIONS has to be worried that intermediate proxy will cache response.

JS: right now a server can say allow " * ". If that gets cached on the way, that would be bad.

MJS: do proxies respect VARY header?

EL: it's a HTTP/1.1 feature.
... IE's support for VARY is dismal.
... servers may be silly to allow " * " for desirable domains.

JS: we always make OPTIONS requests with cache-control no cache. We can do this.
... I'm more concerned than you are here.

EL: I don't know if you know this, but beta2 does send origin (like access control)

MJS: would you (Microsoft) implement a subset of access control that matches XDR's header exchange, if it is a clean subset ?

EL: on the one hand, I understand the appeal, on the other hand, I worry about mixing our implementation with your spec.

JS: I think we can construct the spec. in such a way that you could use the same syntax, and not impede the path forward. The one concern is that it makes it very attractive for people to limit themselves to the subset that IE supports.

ZX: if the spec clearly spells out that some UA may support this mode, and that's limited, it seems conceivable.

SD: we are serious about interoperability. We'd like to see how can do access control with XDR. In IE8 this will be very difficult.

ZX: whatever change we can do with IE8 is very small.

JS: it's an incompatibility because of POST not being preflighted in XDR.

EL: it's an incompatibility among myriad.

MJS: on the XDR implementation, you wouldn't get the preflight. You're opting into two different security models. In the GET case we could construct a similar path, but not with POST.

adjourn meeting

<sicking> Agenda: Resolve outstanding issues on Access-Control

<chaals> http://www.w3.org/2008/webapps/track/products/7

<chaals> access control issues

<mjs> http://www.w3.org/2008/webapps/track/issues/open

<sicking> mjs: some issues raised yesterday not yet in the right product

<mjs> issues 10-14

<sicking> mjs: such as allowing implementations to override the spec with implementation specific security features

<chaals> http://www.w3.org/2008/webapps/track/products/7 -> acess control issues

<sicking> chaals: issues raised yesterday should be in correct product

<sicking> sicking: do we have an issue on what mjs just brought up

<chaals> ISSUE: Should Access-control allow DNS binding defense?

<trackbot> Created ISSUE-29 - Should Access-control allow DNS binding defense? ; please complete additional details at http://www.w3.org/2008/webapps/track/issues/29/edit .

<sicking> mjs: there are two related issues. 1. does the spec allow for DNS rebinding defense. 2. more general, does the spec allow for other defences

<sicking> chaals: given that implementations are going to do that anyway, should the spec allow that

<chaals> ISSUE: Should spec have wording to recognise that User Agents may implement further security beyond the spec?

<trackbot> Created ISSUE-30 - Should spec have wording to recognise that User Agents may implement further security beyond the spec? ; please complete additional details at http://www.w3.org/2008/webapps/track/issues/30/edit .

<sicking> mjs: saying 'caching is allowed to be ignored at any time' will allow for many defences without telling authors that "anything can happen due to security"

<sicking> chaals: lets cover this issue right away since there is consensus

<sicking> sunava: spec seems like it's geared towards browsers rather than developers

<sicking> sunava: how can we ensure that security notes in the spec and elsewhere reaches authors

<sicking> chaals: having information in spec about things that happen in real world is useful.

<tlr> thx

<sicking> arun: tlr raised issue about DNS defense mechanism

<sicking> mjs: not a big deal if we're not requiring that particular defense mechanism but rather just allow for DNS rebind defenses

<chaals> scribeNick: sicking

<arun> arun: fair enough :-)

<tlr> ack re mjs

<chaals> Proposed resoultion: Specifications SHOULD include language recognising that there may be extra implementation detail for security...

anne: we need to figure out what changes to make to the spec

sicking: we can just mention that in the section on caching

mjs: there are two places where we wanna note things
... make sure that the caching rules don't mandate caching
... other thing is mention in security consideration section we should mention that implementations may do this
... we should changes things to SHOULD or MAY to allow for not caching

chaals: implementions should send information about where they want to deviate from spec so that we can get those things into spec

<chaals> RESOLUTION: (provisional, like all real-time resolutions) We will have language noting possible implementation differences, where appropriate. This closes ISSUE-30

mjs: both do what chaals said, and make changes for caching

sicking: Access-Control-Policy-Path got more or less resolved yesterday

mjs: since we can't secure it we should punt it for now

chaals: sounded like google was ok with dropping it

Hixie: well, anyone who does atompub, including google, wants it. But if we can't make it secure there is no point in pushing it

<chaalsXO> RESOLUTION: We drop access-control-policy-path. This closes ISSUE-12

<chaalsXO> RATIONALE: We can't find a decent way to keep it secure yet...

chaalsXO: ISSUE-25

mjs: i think the best suggestion yesterday was to limit amount of time that something can be cached. Such as a day

chaalsXO: what i liked about the other suggestion yesterday, explicit revocation, is that it matches human behavior
... when you mess something up, you can fix it

mjs: the problem is you still have to protect yourself since the first request can be harmful

sam: since you need to protect yourself against the first request anyway, doesn't seem like explicit revocation buys that much

sunava: is origin filtering foolproof?

Hixie: this is all for authenticated requests. All other requests are always possible server-to-server. For those origin filtering should be ok

<tlr> incidentally, +1 to hixie on that one

kriszyp: can we define a status code for revocation

mjs: seems like a 403 could mean revocation

anne: currently the spec is status code agnostic, i sort of like that

Hixie: it makes sense to flush the cache on any 400 status

mjs: that makes sense

Hixie: servers can always deny on "Origin"

sicking: it would have to be something other, origin isn't always cross-site

Hixie: we should have a cross-site-only header

sicking: i agree

weinig: sounds like we've got from not having a revocation mechanism, to having one, which is status code

shepazu: if we're going to have a max time limit. We should look at if there's something less arbitrary than a day

mjs: having a timelimit sounds like a defence in depth mechanism that makes sense

Zhenbin: server will have to take action anyway

sunava: are you worried about extra complexity?

<Hixie> (actually, on second thoughts i think that Origin is enough, we don't need an xhr2-specific header. You'd just have to filter on Origin != expected origin and return 403.)

<anne> (I agree)

mjs: we should go back to why we suggested this in the first place
... there's two concerns:
... someone misconfiguring the server with a long timeout
... someone uses man-in-middle to insert a response with a huge timeout to poison cache for a long time

Hixie: a usecase for huge timeout is google analytics. We want to track using the same uri for a long time with as little overhead as possible

anne: seems like if a user clears there normal caches, then they would expect this cache to be cleared too

mjs: seems like there are pros and cons to a upper limit
... if you make a misstake and don't know how to defend yourself you'll be fine within a day by default
... the downside is that for things like the analytics example they would get more requests

sicking: i think we'll set a limit in mozilla, sounds like the tradeoff is good enough

mjs: optimization tools might recommend to set all your caching limits really high. operators might follow that without fully understanding the consequences.

chaalsXO: sounds like we're argining about MUST vs. SHOULD

Zhenbin: still sounds like an unneccesary measure

shepazu: sounds like it would be good to have interoperability

sicking: i don't think interoperability is an issue, either way servers shouldn't set too long timeouts

weinig: should we mandate or recommendation that switching proxies clear the cache

chaalsXO: should we recommend a short timeout?

sunava: i agree

sicking: i agree

anne: i agree

<weinig> by recommend I mean SHOULD or MAY


<chaalsXO> RESOLUTION: We recommend ('should') a short timeout (with an explanation of why).

<weinig> ISSUE: Allow POST without a preflight with headers in a whitelist

<trackbot> Created ISSUE-31 - Allow POST without a preflight with headers in a whitelist ; please complete additional details at http://www.w3.org/2008/webapps/track/issues/31/edit .

<sunava> sunava is scribing

<arun> scribenick: sunava

<Maciej> cache will be constatly flushed. especially in mobile areas

<arun> sunava, use abbreviations/initials, e.g. maciej = mjs

<jonas> is fine with leaving it out. Implementations can do it

ok, sure

<arun> sunava, also use a colon ":"

C.M: I expect to put in drafts people expecting to call for review of specific aspects, do we add feedback in draft
... I dont think we need a resolutiononthis
... Do we resolve 4xx?

M.S: I dont think we MUST not maintain cache after 4xx

C.M: 5xx may be reasonable to cahce
... I dont want to have arequirement to drop cache in 5xx

<arun> AvK: if a server doesn't respond with an access control header(s), discard response/don't cache

M.S: Revoking preflight based on access control not in response it not sound

Zx: There appears to be a substatus code, this is the case for IIS. Substatus code tells why it is forbidden. Are we using thesubstatus code

AvK: I dont think this is part of HTTP
... A lot of these are IIS specific

Js: If we're not differentiaing between 4xx codes, it doesnt make sense to differentiate based on dots

Ih: We should not make this any different for caching

Zx: 407 means proxy auth required
... For example

IH: You would not have anything cached if this happened

Zx: Not all access are equal

Js: It doesnt change the functionality, we just need to redo the OPTIONS request on next

AvK: The spec requires that if you perform the access control request, if it fails you remove the entry
... So it doesnt depend on status code

<arun> arun: from spec -- " Perform an access control check. If it returns "fail", apply the generic network error steps. Otherwise, if it returns "pass", terminate this algorithm and return with the status flag set to "success". Do not actually terminate the request. "

Cm: This issue resolved

<arun> arun: umm, sorry, i pasted the wrong "otherwise".

<arun> arun: Perform an access control check. If it returns "fail", remove the cache entry, then apply the generic network error steps. Otherwise, if it returns "pass", terminate this algorithm and return with the status flag set to "success". Do not actually terminate the request.

s.w: Bag of worms is next?

Zx: I want to talk about caching,for the GET case, theres not preflight
... YOu do GET with credentials
... If credentials are cached, the cache may say its allowed if the results for the GET are returned from the cache

Js: What a server should do, ( a server that returns different allow headers based on origin) , varying based on origin header. IF a server does that, it should sent a VARY based on origin header.

Ms: If the origin header is the same, it doesnt require any extra validation

Js: If you go to A, says OK, go to A again, then its OK to resue one

Mjs: Most proxies have good support for vary header
... In browser cache implementations sometimes they dont respect vary header

Js: If server sets vary header, caching should work OK
... This is kind of the wildcarding issue, if you go to site A and server says allowed *, and go to B and it should be allowed, then we recommend not including cookies...

Sd: With XDR we decided to have a different cache pool
... Even though it is public data in an anonymous request
... Instead of relying on the server to do the right thing.

Zx: To be very secure, I would recommend separating the cache pool
... But the challenge here would be then you need a different cache pool for a different origin, hmmm...

Js: I'm not following

Zx: First case you talk about, server may say you need to send a vary

Js: Let's say it addition to that we dont allow wild cards with cookies

<chaalsXO> SD: That could work in XDR, but you need a seperate cache for every origin

<chaalsXO> ZX: We still get access control list on get...

<chaalsXO> AvK: could be, not necessarily

<chaalsXO> MJS: Or allow a single response to avoid exposing policy.I think AC requires a specific cache for the OPTIONS response.

can anyone scibe for this?

im particpating

its a bit hard..(I'll re-pickup scribing in a sec)

<chaalsXO> scribenick: kriszyp

<chaalsXO> scribenick: kris

JS: Recognize that there can be concerns with private data be exposed from caches where an entry is cached from a normal same-origin request with cookies and then it can be possibly be returned for a CS request (assuming no Vary header)

IH: Cache: Private should help with proxy caches

SD: You need separate cache pools for each origin to be safe

JS: You only need two cache pools (normal cache and cross-site cache)

<Hixie> ("Cache-Control: private" is the header I mentioned earlier)

JS: You can either provide a list of acceptable sites in the header, or you can do it server-side with the Origin header + Vary: Origin

SD: Does this really work in practice?

AVK: Yes

<chaalsXO> ZX: Think that could solve the problem

<chaalsXO> KZ: Think this would be a good way to do this - important usecase

arun: Can someone propose resolution language?

Js will do it

<sicking> Proposed Resolution In order to avoid caching issues we need the following: UAs need to have a separate cache for cookie-less requests. We should recommend servers to use the Vary header if their Access-Control list varies with the Origin header. Further, if we adopt the don't-allow-wildcardging-with-cookies suggestion that will reduce the risk of server misconfigurations

<chaalsXO> RESOLUTION: In order to avoid caching issues we need the following: UAs need to have a separate cache for cookie-less requests. We should recommend servers to use the Vary header if their Access-Control list varies with the Origin header. Further, if we adopt the don't-allow-wildcardging-with-cookies suggestion that will reduce the risk of server misconfigurations

<MikeSmith> scribenick: MikeSmith

RESOLUTION: In order to avoid caching issues we need the following: UAs need to have a separate cache for cookie-less requests. We should recommend servers to use the Vary header if their Access-Control list varies with the Origin header. Further, if we adopt the don't-allow-wildcardging-with-cookies suggestion that will reduce the risk of server misconfigurations

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.133 (CVS log)
$Date: 2008/07/02 20:56:39 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.133  of Date: 2008/01/18 18:48:51  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 0.99)

FAILED: s/work?/work/
Succeeded: s/i suggest someone draft wordings about when caching should not happen so that implementations know when to do this/implementions should send information about where they want to deviate from spec so that we can get those things into spec/
Succeeded: s/410/403/
Succeeded: s/mandate/mandate or recommendation/
Succeeded: s/Resolution:/Proposed Resolution/
Found ScribeNick: arun
Found ScribeNick: sicking
Found ScribeNick: sunava
Found ScribeNick: kriszyp
WARNING: No scribe lines found matching ScribeNick pattern: <kriszyp> ...
Found ScribeNick: kris
Found ScribeNick: MikeSmith
Inferring Scribes: arun, sicking, sunava, kriszyp, kris, MikeSmith
Scribes: arun, sicking, sunava, kriszyp, kris, MikeSmith
ScribeNicks: arun, sicking, sunava, kriszyp, kris, MikeSmith

WARNING: No "Topic:" lines found.

WARNING: No "Present: ... " found!
Possibly Present: AVK Bryan Cm DS EL EricLaw Hixie ISSUE Ih Js KZ Lachy MikeSmith Ms RATIONALE Sd ZY Zhenbin Zx anne arun chaals chaalsXO cynthia ericstaats joined kris kriszyp left mjs sam scribenick shepazu sicking sunava tlr trackbot wam weinig
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

WARNING: No meeting title found!
You should specify the meeting title like this:
<dbooth> Meeting: Weekly Baking Club Meeting

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 02 Jul 2008
Guessing minutes URL: http://www.w3.org/2008/07/02-wam-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]