Ian Hickson wrote:
On Tue, 5 Feb 2008, Jonas Sicking wrote:
It introduces ordering issues. Consider the following setup; A server
contains two resources, /dir/A and /dir/B, and returns the following
replies to OPTIONS requests:
/dir/
Access-Control:allow <*> method POST
Method-Check-Policy-Path: /dir/
Method-Check-Max-Age:3600
/dir/A
Access-Control:allow <*> method POST
Method-Check-Policy-Path: /dir/
Method-Check-Max-Age:3600
/dir/B
Access-Control:deny <*> method POST
Method-Check-Max-Age:3600
If a UA now accesses resource A it would do OPTIONS requests to /dir/A
and then /dir/ and result in "allow <*> method POST" being cached as the
policy for all resources under /dir/.
If the UA then tries to do a POST to resource B this would be performed
without any OPTIONS requests. I.e. the POST to B would be successful.
However if the UA first tries to do a POST to resource B, the UA would
first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B
would be unsuccessful.
I think this will make debugging a pain, for sure, but I don't think it's
a security problem. It's just a configuration issue.
It is a security problem if the POST have side-effects, which is very
likely to be the case and the reason we have the OPTIONS request at all.
But yes, it's not a problem in the spec per se. It's a problem in the
way the server was configured. However I do think that adding this
functionality makes it easier to misconfigure servers.
I can't see a clear way of avoiding it, though.
I don't think there is one as long as we are intent on allowing access
policies to be set in multiple places (i.e. both on the resource and on
any parent directory).
(Note also that if you access A then B, that even though B would then get
a POST, it wouldn't leak the data to the requesting Web page. The "deny"
would still take effect on the response.)
The current proposal means that someone that can control the responses
to a given directory can effectively control the ability to do perform
unsafe cross-site requests to any URI under that directory.
Yes, that's the assumption for the proposal. :-) Is it not a safe
assumption?
I don't know. :(
/ Jonas
