From trac+websec@trac.tools.ietf.org Fri Aug 5 12:58:53 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2FA21F8ABE for ; Fri, 5 Aug 2011 12:58:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUB1TJKNx6mk for ; Fri, 5 Aug 2011 12:58:53 -0700 (PDT) Received: from zinfandel.tools.ietf.org (zinfandel.tools.ietf.org [IPv6:2001:1890:1112:1::2a]) by ietfa.amsl.com (Postfix) with ESMTP id 1419E21F8610 for ; Fri, 5 Aug 2011 12:58:53 -0700 (PDT) Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.76) (envelope-from ) id 1QpQY2-0001rv-BB; Fri, 05 Aug 2011 12:59:10 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "websec issue tracker" X-Trac-Version: 0.11.7 Precedence: bulk Auto-Submitted: auto-generated X-Mailer: Trac 0.11.7, by Edgewall Software To: jeff.hodges@kingsmountain.com X-Trac-Project: websec Date: Fri, 05 Aug 2011 19:59:10 -0000 X-URL: http://tools.ietf.org/websec/ X-Trac-Ticket-URL: http://trac.tools.ietf.org/wg/websec/trac/ticket/5#comment:1 Message-ID: <079.9d5cb4e374a5fb053cdb3bfe802aba91@trac.tools.ietf.org> References: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org> X-Trac-Ticket-ID: 5 In-Reply-To: <070.a9f98ae172e5a2b1327b06b3743756c3@trac.tools.ietf.org> X-SA-Exim-Connect-IP: ::1 X-SA-Exim-Rcpt-To: jeff.hodges@kingsmountain.com, websec@ietf.org X-SA-Exim-Mail-From: trac+websec@trac.tools.ietf.org X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false Cc: websec@ietf.org Subject: Re: [websec] #5: Clarify need for IncludeSubDomains X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2011 19:58:53 -0000 #5: Clarify need for IncludeSubDomains Comment(by jeff.hodges@…): the above is quoted from this message... Re: [HASMAT] strict transport security http://www.ietf.org/mail-archive/web/hasmat/current/msg00071.html -- -------------------------------------------+-------------------------------- Reporter: jeff.hodges@… | Owner: =JeffH Type: defect | Status: new Priority: major | Milestone: Component: strict-transport-sec | Version: Severity: - | Keywords: -------------------------------------------+-------------------------------- Ticket URL: websec From internet-drafts@ietf.org Fri Aug 5 16:29:30 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A88CD21F86C1; Fri, 5 Aug 2011 16:29:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.574 X-Spam-Level: X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpjBxXfPOVB2; Fri, 5 Aug 2011 16:29:30 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47CB121F89A7; Fri, 5 Aug 2011 16:29:30 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.57 Message-ID: <20110805232930.12288.80859.idtracker@ietfa.amsl.com> Date: Fri, 05 Aug 2011 16:29:30 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-02.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2011 23:29:30 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IET= F. Title : HTTP Strict Transport Security (HSTS) Author(s) : Jeff Hodges Collin Jackson Adam Barth Filename : draft-ietf-websec-strict-transport-sec-02.txt Pages : 35 Date : 2011-08-05 This specification defines a mechanism enabling Web sites to declare themselves accessible only via secure connections, and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by Web sites via the Strict-Transport-Security HTTP Response Header Field, and/or by other means, e.g. user agent configuration. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-= 02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-strict-transport-sec-0= 2.txt From Jeff.Hodges@KingsMountain.com Fri Aug 5 16:34:10 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBA221F874C for ; Fri, 5 Aug 2011 16:34:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.381 X-Spam-Level: X-Spam-Status: No, score=-101.381 tagged_above=-999 required=5 tests=[AWL=-0.886, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLmFZpr+4bH7 for ; Fri, 5 Aug 2011 16:34:10 -0700 (PDT) Received: from oproxy9.bluehost.com (unknown [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 8AAC921F85A7 for ; Fri, 5 Aug 2011 16:34:09 -0700 (PDT) Received: (qmail 4543 invoked by uid 0); 5 Aug 2011 23:34:27 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 5 Aug 2011 23:34:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=5cyATdH7IUj8j5qz7l5sgHwl38DX359gKucnNnONWcY=; b=Kw+Gq14gi6PAuH1auUClhgLQun/5uW4foIjJct9vbZN7oYBSg/YDeeuM78zMMMXvG84jX2g+LnKy37yecDv4e409wBb2PFbAggvxny/NmeFq8Fd8qp4HqE5cdtjt6DyP; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.211]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1QpTuN-0001t4-BG for websec@ietf.org; Fri, 05 Aug 2011 17:34:27 -0600 Message-ID: <4E3C7E03.50902@KingsMountain.com> Date: Fri, 05 Aug 2011 16:34:27 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: IETF WebSec WG Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Subject: Re: [websec] I-D Action: draft-ietf-websec-strict-transport-sec-02.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2011 23:34:10 -0000 fyi, here's the change log from -01 to -02: 1. Updated Section 7.2 "URI Loading and Port Mapping" fairly thoroughly in terms of refining the presentation of the steps, and to ensure the various aspects of port mapping are clear. Nominally fixes issue ticket #1 2. Removed dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15]. Thus updated STS ABNF in Section 5.1 "Strict-Transport-Security HTTP Response Header Field" by lifting some productions entirely from [I-D.draft-ietf-httpbis-p1-messaging-15] and leveraging [RFC2616]. Addresses issue ticket #2 . 3. Updated Effective Request URI section and definition to use language from [I-D.draft-ietf-httpbis-p1-messaging-15] and ABNF from [RFC2616]. Fixes issue ticket #3 . 4. Added explicit mention that the HSTS policy applies to all TCP ports of a host advertising the HSTS policy. Nominally fixes issue ticket #4 5. Clarified the need for the "includeSubDomains" directive, e.g. to protect Secure-flagged domain cookies. In Section 12.1 "The Need for includeSubDomains". Nominally fixes issue ticket #5 6. Cited Firesheep as real-live threat in Section 2.3.1.1 "Passive Network Attackers". Nominally fixes issue ticket #6 . 7. Added text to Section 10 "UA Implementation Advice" justifying connection termination due to tls warnings/errors. Nominally fixes issue ticket #7 . 8. Added new subsection Section 7.5 "Interstitially Missing Strict-Transport-Security Response Header Field". Nominally fixes issue ticket #8 . 9. Added text to Section 7.3 "Errors in Secure Transport Establishment" explicitly note revocation check failures as errors causing connection termination. Added references to [RFC5280] and [RFC2560]. Nominally fixes issue ticket #9 . 10. Added a sentence, noting that distributing specific end- entity certs to browsers will also work for self-signed/ private-CA cases, to Section 9 "Server Implementation Advice" Nominally fixes issue ticket #10 . 11. Moved "with no user recourse" language from Section 7.3 "Errors in Secure Transport Establishment" to Section 10 "UA Implementation Advice". This nominally fixes issue ticket #11 . 12. Removed any and all dependencies on [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending on [RFC2616] only. Fixes issue ticket #12 . 13. Removed the inline "XXX1" issue because no one had commented on it and it seems reasonable to suggest as a SHOULD that web apps should redirect incoming insecure connections to secure connections. 14. Removed the inline "XXX2" issue because it was simply for raising consciousness about having some means for distributing secure web application metadata. 15. Removed "TODO1" because description prose for "max-age" in the Note following the ABNF in Section 5 seems to be fine. 16. Decided for "TODO2" that "the first STS header field wins". TODO2 had read: "Decide UA behavior in face of encountering multiple HSTS headers in a message. Use first header? Last?". Removed TODO2. 17. Added Section 1.1 "Organization of this specification" for readers' convenience. 18. Moved design decision notes to be a proper appendix Appendix A. --- end From julian.reschke@gmx.de Sat Aug 6 02:10:44 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EB921F882E for ; Sat, 6 Aug 2011 02:10:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.04 X-Spam-Level: X-Spam-Status: No, score=-104.04 tagged_above=-999 required=5 tests=[AWL=-1.441, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ZQDuAta9oAp for ; Sat, 6 Aug 2011 02:10:40 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 0858621F8834 for ; Sat, 6 Aug 2011 02:10:39 -0700 (PDT) Received: (qmail invoked by alias); 06 Aug 2011 09:10:57 -0000 Received: from p508FCEA5.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.206.165] by mail.gmx.net (mp046) with SMTP; 06 Aug 2011 11:10:57 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX18KbRMBNAQKyfD+LIwtpoNn+7VDMK70/KV6fOR9ba jBI1gtTnD9TCnv Message-ID: <4E3D051E.80206@gmx.de> Date: Sat, 06 Aug 2011 11:10:54 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: =JeffH References: <4E3C7E03.50902@KingsMountain.com> In-Reply-To: <4E3C7E03.50902@KingsMountain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: IETF WebSec WG Subject: [websec] effective request URI def, was: I-D Action: draft-ietf-websec-strict-transport-sec-02.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2011 09:10:44 -0000 On 2011-08-06 01:34, =JeffH wrote: > ... > 12. Removed any and all dependencies on > [I-D.draft-ietf-httpbis-p1-messaging-15], instead depending > on [RFC2616] only. Fixes issue ticket #12 > . > ... Not sure this is a good idea. The current text copies a known bug from draft-ietf-httpbis-p1-messaging-15 (see ). Also, the ABNF claims it's based on RFC 2616's definitions, but mentions RFC 3986 in ABNF comments. This needs to be checked. Furthermore, there's a risk that HTTPbis will have to tune the definition of Effective Request URI furthermore -- see . (I realize that's not your fault, but we somehow have to deal with this). Best regards, Julian From julian.reschke@gmx.de Sat Aug 6 02:36:39 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00AB821F8797 for ; Sat, 6 Aug 2011 02:36:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.019 X-Spam-Level: X-Spam-Status: No, score=-104.019 tagged_above=-999 required=5 tests=[AWL=-1.420, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KhFe8FpVlNkQ for ; Sat, 6 Aug 2011 02:36:38 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id 2877F21F85C0 for ; Sat, 6 Aug 2011 02:36:37 -0700 (PDT) Received: (qmail invoked by alias); 06 Aug 2011 09:36:56 -0000 Received: from p508FCEA5.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.206.165] by mail.gmx.net (mp072) with SMTP; 06 Aug 2011 11:36:56 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/CVpRrdzbCRhgnBp3DOVflmlnw20r4dy40xDPnLo ZOgWILGNHT1SY5 Message-ID: <4E3D0B34.3000705@gmx.de> Date: Sat, 06 Aug 2011 11:36:52 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: websec Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Subject: [websec] Strict-Transport-Security syntax X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2011 09:36:39 -0000 Hi there, a few questions about the header field syntax: Strict-Transport-Security = "Strict-Transport-Security" ":" OWS STS-v OWS So the header field is *not* using the RFC2616 list syntax. So you can have Strict-Transport-Security: a; b but *not* Strict-Transport-Security: a Strict-Transport-Security: b because that would be equivalent to Strict-Transport-Security: a, b (is this intentional?) Also in ; value STS-v = STS-d / STS-d *( OWS ";" OWS STS-d OWS ) ; STS directive STS-d = STS-d-cur / STS-d-ext ; defined STS directives STS-d-cur = maxAge / [ includeSubDomains ] having includeSubDomains optional is a bit weird. This means that the empty string would be a valid STS-d-cur, thus an empty header field is allowed... Best regards, Julian From Jeff.Hodges@KingsMountain.com Sat Aug 6 07:27:01 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4609821F8801 for ; Sat, 6 Aug 2011 07:27:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.532 X-Spam-Level: X-Spam-Status: No, score=-100.532 tagged_above=-999 required=5 tests=[AWL=-0.867, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1q+OmpderCBW for ; Sat, 6 Aug 2011 07:27:00 -0700 (PDT) Received: from oproxy4-pub.bluehost.com (oproxy4-pub.bluehost.com [69.89.21.11]) by ietfa.amsl.com (Postfix) with SMTP id 9838321F87C6 for ; Sat, 6 Aug 2011 07:27:00 -0700 (PDT) Received: (qmail 7253 invoked by uid 0); 6 Aug 2011 14:27:21 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy1.bluehost.com with SMTP; 6 Aug 2011 14:27:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=4q5pmxuJr4cbgt8XWWxyLbdblt0UuZGjmMEJ3PGduds=; b=2CyNgtIpAcqNRX7LcateqfH8ngB5F3Q56d/n37FwoWtYmgZ9y5YrNlAlRZCiOi3ItN1DgUBU+zGyGs9BQKEOezunLTxAZtV5OpEMmOEbdOZOEks560tZQqruzAnKYVC3; Received: from c-24-4-122-173.hsd1.ca.comcast.net ([24.4.122.173] helo=[192.168.11.10]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1QphqS-0005tX-W2; Sat, 06 Aug 2011 08:27:21 -0600 Message-ID: <4E3D4F47.3090209@KingsMountain.com> Date: Sat, 06 Aug 2011 07:27:19 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11 MIME-Version: 1.0 To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 24.4.122.173 authed with jeff.hodges+kingsmountain.com} Cc: IETF WebSec WG Subject: Re: [websec] Strict-Transport-Security syntax and effective request URI def X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2011 14:27:01 -0000 Hi Julian, thanks a bunch for your reviews and the ABNF parser info you've sent me. ALL: now's a good time to review draft-ietf-websec-strict-transport-sec in detail -- as mentioned in Quebec last week, we want to get this spec in shape for WG LC sooner rather than later (and I believe it's pretty close to ready as of now). I'll be popping it back up to the top of my to-do list after this next week. thanks, =JeffH From stpeter@stpeter.im Tue Aug 9 09:44:08 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1447F21F8CF3 for ; Tue, 9 Aug 2011 09:44:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.641 X-Spam-Level: X-Spam-Status: No, score=-102.641 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95j2c+HLnyIF for ; Tue, 9 Aug 2011 09:44:07 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 167D421F8CAA for ; Tue, 9 Aug 2011 09:44:07 -0700 (PDT) Received: from dhcp-64-101-72-239.cisco.com (unknown [64.101.72.239]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id C31E2413D9; Tue, 9 Aug 2011 10:46:12 -0600 (MDT) Message-ID: <4E4163EE.2020109@stpeter.im> Date: Tue, 09 Aug 2011 10:44:30 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: =JeffH References: <4E3D4F47.3090209@KingsMountain.com> In-Reply-To: <4E3D4F47.3090209@KingsMountain.com> X-Enigmail-Version: 1.2 OpenPGP: url=https://stpeter.im/stpeter.asc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: IETF WebSec WG Subject: Re: [websec] Strict-Transport-Security syntax and effective request URI def X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 16:44:08 -0000 On 8/6/11 8:27 AM, =JeffH wrote: > ALL: now's a good time to review draft-ietf-websec-strict-transport-sec > in detail -- as mentioned in Quebec last week, we want to get this spec > in shape for WG LC sooner rather than later (and I believe it's pretty > close to ready as of now). I'll be popping it back up to the top of my > to-do list after this next week. Thanks for the poke. I've had a chance to read the spec again. Here is some mostly minor feedback. You can consider this an AD review. :) SECTION 1 s/Universal Resource Identifier/Uniform Resource Identifier/ Expand "UA" on first use. This specification embodies and refines the approach proposed in [ForceHTTPS], e.g. a HTTP response header field, named "Strict- Transport-Security", is used to convey the site HSTS policy to the UA rather than a cookie. Do you mean "i.e." instead of "e.g."? I suggest: This specification embodies and refines the approach proposed in [ForceHTTPS]; i.e. instead of using a cookie it defines and uses an HTTP response header field, named "Strict-Transport-Security", to convey the site HSTS policy to the UA. The document is a bit unclear about the denotation of "HSTS policy". Sometimes it refers to the site's policy and sometimes to the overall recommendations defined in the spec. This specification also incorporates notions from [JacksonBarth2008] in that the HSTS policy is applied on an "entire-host" basis: it applies to all TCP ports on the host. Additionally, HSTS policy can be applied to the entire domain name subtree rooted at a given host name. This enables HSTS to protect so-called "domain cookies", which are applied to all subdomains of a given domain. Perhaps it would be helpful to contrast the all ports and entire subtree principles with the same origin policy also being worked on in this WG, with an informational reference to the appropriate spec. SECTION 2.1 o Web browser user wishes to discover, or be introduced to, and/or utilize various web sites (some arbitrary, some known) in a secure fashion. Does this specification really talk about discovery? I don't see anything about that later in the document. Also it's not clear to me what the spec means by "be introduced to". I suggest: o Web browser user wishes to interact with various web sites (some arbitrary, some known) in a secure fashion. SECTION 2.3.1.3 The term "mixed content" threw me off because it is also used in XML: http://www.w3.org/TR/2008/REC-xml-20081126/#sec-mixed-content Also, it might be good to consistently use and prefer the term "mixed security context" in this specification. SECTION 3 Please use the RFC 2119 boilerplate rather than inventing your own. SECTION 4 Regarding the terms "Domain Name" and "Domain Name Label", I'm leery of defining them anew and would suggest referring to the definitions in, say, RFC 5890 (or ideally RFC 1034 and RFC 1035). SECTION 5.1 I have yet to review the ABNF here. SECTION 7 We have a normative reference to RFC 3490, which has been obsoleted by RFC 5890 and friends. Why not cite the definition of A-label from Section 2.3.2.1 of RFC 5890? To wit: o An "A-label" is the ASCII-Compatible Encoding (ACE, see Section 2.3.2.5) form of an IDNA-valid string. It must be a complete label: IDNA is defined for labels, not for parts of them and not for complete domain names. This means, by definition, that every A-label will begin with the IDNA ACE prefix, "xn--" (see Section 2.3.2.5), followed by a string that is a valid output of the Punycode algorithm [RFC3492] and hence a maximum of 59 ASCII characters in length. The prefix and string together must conform to all requirements for a label that can be stored in the DNS including conformance to the rules for LDH labels (Section 2.3.1). If and only if a string meeting the above requirements can be decoded into a U-label is it an A-label. SECTION 7.1.1 What does it mean to "congruently match"? SECTION 7.3 Isn't RFC 2560 the right spec for OCSP? SECTION 7.5 I can't parse this clause: the UA SHOULD continue to treat the host as a Known HSTS Host until the max age for the knowledge that Known HSTS Host is reached. SECTION 8 Once again we're normatively referencing RFC 3490 instead of IDNA2008. SECTION 11 Is "effective request URI" defined anywhere that we can reference? SECTION 12.2 Let's add an informational reference to RFC 4732. Can we add some more details to the description of the denial of service attack? IMHO it's a bit thin. GLOBAL There are various spelling and grammar errors, but I assume those will be fixed along the way. That's it for now... Peter -- Peter Saint-Andre https://stpeter.im/ From alexey.melnikov@isode.com Tue Aug 9 11:59:29 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4B811E80D0 for ; Tue, 9 Aug 2011 11:59:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.492 X-Spam-Level: X-Spam-Status: No, score=-102.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRxvX3Sxqs89 for ; Tue, 9 Aug 2011 11:59:29 -0700 (PDT) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 5E30F11E809E for ; Tue, 9 Aug 2011 11:59:29 -0700 (PDT) Received: from [188.28.162.80] (188.28.162.80.threembb.co.uk [188.28.162.80]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Tue, 9 Aug 2011 19:59:57 +0100 Message-ID: <4E4183A5.2000800@isode.com> Date: Tue, 09 Aug 2011 19:59:49 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: websec@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] WebSec WG secretary X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 18:59:30 -0000 WebSec WG Chairs are pleased to welcome Yoav Nir as the WebSec WG Secretary. He will help us to keep track of discussions and keep the WG running smoothly. Thank you to Yoav for accepting the job. Best Regards, Tobias and Alexey, as WG chairs. From tobias.gondrom@gondrom.org Tue Aug 9 12:12:44 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E384D21F8CB5 for ; Tue, 9 Aug 2011 12:12:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -95.149 X-Spam-Level: X-Spam-Status: No, score=-95.149 tagged_above=-999 required=5 tests=[AWL=0.214, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhvYi0lHInYj for ; Tue, 9 Aug 2011 12:12:43 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3E321F8C13 for ; Tue, 9 Aug 2011 12:12:42 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=tGMefKOZZh+YxhahyolTHOqUutKZRe2skJJytrW+q7W7qaqWJN1ANcszwiqoEHZyFWeWSJuqH0F1lUu9t8f8MPUZhGCwUh31yooSqpfKU8Jmp8MRzMW4HM6yfGZcQ6q/; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding; Received: (qmail 10180 invoked from network); 9 Aug 2011 21:12:36 +0200 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.66?) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Aug 2011 21:12:36 +0200 Message-ID: <4E4186A4.3030500@gondrom.org> Date: Tue, 09 Aug 2011 20:12:36 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20110627 Thunderbird/5.0 MIME-Version: 1.0 To: websec@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] minutes for WEBSEC meeting in Quebec X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2011 19:12:44 -0000 Hello dear Websec fellows, FYI: just uploaded our meeting minutes. You can find them here: http://www.ietf.org/proceedings/81/minutes/websec.txt Please contact me (Tobias) in case of any corrections/comments on the minutes. And a special big thank you to Yoav for taking the minutes and joining as our WG secretary! Tobias & Alexey chairs of websec Ps.: of course all presentation slides and agenda are online as well: https://datatracker.ietf.org/meeting/81/materials.html#wg-websec From internet-drafts@ietf.org Tue Aug 16 19:10:46 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0580121F854C; Tue, 16 Aug 2011 19:10:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.52 X-Spam-Level: X-Spam-Status: No, score=-102.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8e1qobiojH3i; Tue, 16 Aug 2011 19:10:45 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9949D21F852C; Tue, 16 Aug 2011 19:10:45 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.58 Message-ID: <20110817021045.12300.48350.idtracker@ietfa.amsl.com> Date: Tue, 16 Aug 2011 19:10:45 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-origin-03.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 02:10:46 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IET= F. Title : The Web Origin Concept Author(s) : Adam Barth Filename : draft-ietf-websec-origin-03.txt Pages : 26 Date : 2011-08-16 This document defines the concept of an "origin", which is oft= en used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates w= hich origins are associated with an HTTP request. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-origin-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-origin-03.txt From ietf@adambarth.com Tue Aug 16 19:13:55 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADE4721F859F for ; Tue, 16 Aug 2011 19:13:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.256 X-Spam-Level: X-Spam-Status: No, score=-3.256 tagged_above=-999 required=5 tests=[AWL=-0.279, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJVaf0lzCVZ6 for ; Tue, 16 Aug 2011 19:13:55 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id 32F6521F855B for ; Tue, 16 Aug 2011 19:13:55 -0700 (PDT) Received: by iye1 with SMTP id 1so828464iye.27 for ; Tue, 16 Aug 2011 19:14:45 -0700 (PDT) Received: by 10.43.48.129 with SMTP id uw1mr286349icb.461.1313547283320; Tue, 16 Aug 2011 19:14:43 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx.google.com with ESMTPS id ib5sm396966icc.12.2011.08.16.19.14.41 (version=SSLv3 cipher=OTHER); Tue, 16 Aug 2011 19:14:41 -0700 (PDT) Received: by iye1 with SMTP id 1so828395iye.27 for ; Tue, 16 Aug 2011 19:14:41 -0700 (PDT) Received: by 10.231.63.6 with SMTP id z6mr869830ibh.99.1313547281116; Tue, 16 Aug 2011 19:14:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.41.207 with HTTP; Tue, 16 Aug 2011 19:14:11 -0700 (PDT) In-Reply-To: <4E248B9C.1070701@gondrom.org> References: <4E248B9C.1070701@gondrom.org> From: Adam Barth Date: Tue, 16 Aug 2011 19:14:11 -0700 Message-ID: To: Tobias Gondrom Content-Type: text/plain; charset=ISO-8859-1 Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2011 02:13:55 -0000 I've upload a new version of the draft, which incorporates all the feedback I've received: http://www.ietf.org/id/draft-ietf-websec-origin-03.txt Please let me know if I've missed any feedback. Thanks all, Adam On Mon, Jul 18, 2011 at 12:38 PM, Tobias Gondrom wrote: > Hello dear websec fellows, > > after reading the feedback and the update on the origin draft, I have the > impression that the draft is in good shape and like to ask for WG Last Call > for this document: > http://tools.ietf.org/html/draft-ietf-websec-origin-02 > > As we are close to the IETF meeting in Quebec, this last call will be > extended to four weeks and _*close on August-15.*_ Please make a last > careful review of the draft and submit comments, questions and discuss items > for this draft ASAP. If you perceive any major issues, it might also make > sense to raise them during our meeting in Quebec on July-25. > > Kind regards and thank you, > > Tobias > chair of websec > > > Tobias Gondrom > email: tobias.gondrom@gondrom.org > mobile: +447521003005 > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec > From alexey.melnikov@isode.com Sat Aug 20 10:52:02 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF4CE21F8A80 for ; Sat, 20 Aug 2011 10:52:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.762 X-Spam-Level: X-Spam-Status: No, score=-102.762 tagged_above=-999 required=5 tests=[AWL=-0.163, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VX52p0LQZFkd for ; Sat, 20 Aug 2011 10:52:02 -0700 (PDT) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 2633621F8785 for ; Sat, 20 Aug 2011 10:52:02 -0700 (PDT) Received: from [188.29.11.66] (188.29.11.66.threembb.co.uk [188.29.11.66]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Sat, 20 Aug 2011 18:53:00 +0100 Message-ID: <4E4FF470.2030804@isode.com> Date: Sat, 20 Aug 2011 18:52:48 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Adam Barth References: <4E248B9C.1070701@gondrom.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2011 17:52:03 -0000 Adam Barth wrote: >I've upload a new version of the draft, which incorporates all the >feedback I've received: > >http://www.ietf.org/id/draft-ietf-websec-origin-03.txt > >Please let me know if I've missed any feedback. > Hi Adam, Sorry, I forgot to send out my comments on -02: 3.2.1. Examples All of the following resources have the same origin: http://example.com/ http://example.com:80/ http://example.com/path/file http://example.com/ The first and the last example are identical, was this intentional? 4. Origin of a URI The origin of a URI is the value computed by the following algorithm: 1. If the URI does not use a server-based naming authority, or if the URI is not an absolute URI, then return a globally unique identifier. [...] 6. If there is no port component of the URI: 1. Let uri-port be the default port for the protocol given by uri-scheme. Otherwise: 2. Let uri-port be the port component of the URI. I know this is an obscure case, but what will this algorithm return for a mailto URI (assuming that it is supported)? I am not entirely clear that # 1 applies here. 5. Comparing Origins NOTE: A URI is not necessarily same-origin with itself. For example, a data URI is not same-origin with itself because data An Informative reference for the "data" URI scheme is needed here. URIs do not use a server-based naming authority and therefore have globally unique identifiers as origins. 6. Serializing Origins This section defines how to serialize an origin to a unicode string and to an ASCII string. Both Unicode and ASCII need references, I think they are normative. > > > From ietf@adambarth.com Sat Aug 20 12:46:33 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44F1E21F85F1 for ; Sat, 20 Aug 2011 12:46:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.237 X-Spam-Level: X-Spam-Status: No, score=-3.237 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GZ0HYrfjQn7h for ; Sat, 20 Aug 2011 12:46:32 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id A18D621F85B8 for ; Sat, 20 Aug 2011 12:46:32 -0700 (PDT) Received: by iye1 with SMTP id 1so7098702iye.27 for ; Sat, 20 Aug 2011 12:47:33 -0700 (PDT) Received: by 10.43.134.72 with SMTP id ib8mr728270icc.94.1313869652805; Sat, 20 Aug 2011 12:47:32 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx.google.com with ESMTPS id j4sm3919370icx.3.2011.08.20.12.47.30 (version=SSLv3 cipher=OTHER); Sat, 20 Aug 2011 12:47:31 -0700 (PDT) Received: by iye1 with SMTP id 1so7098659iye.27 for ; Sat, 20 Aug 2011 12:47:30 -0700 (PDT) Received: by 10.231.60.139 with SMTP id p11mr1731600ibh.73.1313869650058; Sat, 20 Aug 2011 12:47:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.41.207 with HTTP; Sat, 20 Aug 2011 12:47:00 -0700 (PDT) In-Reply-To: <4E4FF470.2030804@isode.com> References: <4E248B9C.1070701@gondrom.org> <4E4FF470.2030804@isode.com> From: Adam Barth Date: Sat, 20 Aug 2011 12:47:00 -0700 Message-ID: To: Alexey Melnikov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2011 19:46:33 -0000 On Sat, Aug 20, 2011 at 10:52 AM, Alexey Melnikov wrote: > Adam Barth wrote: > >> I've upload a new version of the draft, which incorporates all the >> feedback I've received: >> >> http://www.ietf.org/id/draft-ietf-websec-origin-03.txt >> >> Please let me know if I've missed any feedback. >> > Hi Adam, > Sorry, I forgot to send out my comments on -02: > > 3.2.1. =A0Examples > > =A0All of the following resources have the same origin: > > > =A0http://example.com/ > =A0http://example.com:80/ > =A0http://example.com/path/file > =A0http://example.com/ > > The first and the last example are identical, was this intentional? Nope. Fixed. > 4. =A0Origin of a URI > > =A0The origin of a URI is the value computed by the following algorithm: > > =A01. =A0If the URI does not use a server-based naming authority, or if > =A0 =A0 =A0the URI is not an absolute URI, then return a globally unique > =A0 =A0 =A0identifier. > > [...] > > =A06. =A0If there is no port component of the URI: > > =A0 =A0 =A01. =A0Let uri-port be the default port for the protocol given = by > =A0 =A0 =A0 =A0 =A0uri-scheme. > > =A0 =A0 =A0Otherwise: > > =A0 =A0 =A02. =A0Let uri-port be the port component of the URI. > > I know this is an obscure case, but what will this algorithm return for a > mailto URI (assuming that it is supported)? I am not entirely clear that = # 1 > applies here. It's a globally unique identifier. mailto doesn't use a server-based naming authority. For example, here's a nutty mailto URI: mailto:alexey.melnikov@isode.com,websec@ietf.org Although the common case of mailto URLs does contain the name of a single server, the general case doesn't. (Admitted, this probably isn't as clearly defined as it could be.) > 5. =A0Comparing Origins > > =A0 =A0 NOTE: A URI is not necessarily same-origin with itself. =A0For > =A0 =A0 example, a data URI is not same-origin with itself because data > > An Informative reference for the "data" URI scheme is needed here. Done. > =A0 =A0 URIs do not use a server-based naming authority and therefore hav= e > =A0 =A0 globally unique identifiers as origins. > > > 6. =A0Serializing Origins > > =A0This section defines how to serialize an origin to a unicode string > =A0and to an ASCII string. > > Both Unicode and ASCII need references, I think they are normative. Ok. Are these the best references? This section defines how to serialize an origin to a unicode string and to an ASCII string. Thanks, Adam From alexey.melnikov@isode.com Mon Aug 22 01:49:16 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B06721F8A62 for ; Mon, 22 Aug 2011 01:49:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.527 X-Spam-Level: X-Spam-Status: No, score=-102.527 tagged_above=-999 required=5 tests=[AWL=0.072, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SwCCi2XHSSGI for ; Mon, 22 Aug 2011 01:49:15 -0700 (PDT) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id AD6F221F85C0 for ; Mon, 22 Aug 2011 01:49:11 -0700 (PDT) Received: from [192.168.1.124] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Mon, 22 Aug 2011 09:50:14 +0100 X-SMTP-Protocol-Errors: NORDNS Message-ID: <4E52183F.8030900@isode.com> Date: Mon, 22 Aug 2011 09:50:07 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: Adam Barth References: <4E248B9C.1070701@gondrom.org> <4E4FF470.2030804@isode.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2011 08:49:16 -0000 Hi Adam, Adam Barth wrote: >On Sat, Aug 20, 2011 at 10:52 AM, Alexey Melnikov > wrote: > > >>Adam Barth wrote: >> >> >>>I've upload a new version of the draft, which incorporates all the >>>feedback I've received: >>> >>>http://www.ietf.org/id/draft-ietf-websec-origin-03.txt >>> >>>Please let me know if I've missed any feedback. >>> >>> >>Hi Adam, >>Sorry, I forgot to send out my comments on -02: >> >>3.2.1. Examples >> >> All of the following resources have the same origin: >> >> >> http://example.com/ >> http://example.com:80/ >> http://example.com/path/file >> http://example.com/ >> >>The first and the last example are identical, was this intentional? >> >> > >Nope. Fixed. > > >>4. Origin of a URI >> >> The origin of a URI is the value computed by the following algorithm: >> >> 1. If the URI does not use a server-based naming authority, or if >> the URI is not an absolute URI, then return a globally unique >> identifier. >> >>[...] >> >> 6. If there is no port component of the URI: >> >> 1. Let uri-port be the default port for the protocol given by >> uri-scheme. >> >> Otherwise: >> >> 2. Let uri-port be the port component of the URI. >> >>I know this is an obscure case, but what will this algorithm return for a >>mailto URI (assuming that it is supported)? I am not entirely clear that # 1 >>applies here. >> >> >It's a globally unique identifier. mailto doesn't use a server-based >naming authority. For example, here's a nutty mailto URI: > >mailto:alexey.melnikov@isode.com,websec@ietf.org > >Although the common case of mailto URLs does contain the name of a >single server, the general case doesn't. (Admitted, this probably >isn't as clearly defined as it could be. > Exactly my point. At first I thought that you meant URI scheme which allows for the component, but it seems like you are trying to define a wider category. >) > > >>5. Comparing Origins >> >> NOTE: A URI is not necessarily same-origin with itself. For >> example, a data URI is not same-origin with itself because data >> >>An Informative reference for the "data" URI scheme is needed here. >> >> >Done. > > >> URIs do not use a server-based naming authority and therefore have >> globally unique identifiers as origins. >> >> >>6. Serializing Origins >> >> This section defines how to serialize an origin to a unicode string >> and to an ASCII string. >> >>Both Unicode and ASCII need references, I think they are normative. >> >> >Ok. Are these the best references? > > This section defines how to serialize an origin to a unicode target="RFC5198" /> string and to an ASCII > string. > > Something like: [Unicode52] The Unicode Consortium. The Unicode Standard, Version 5.2.0, defined by: "The Unicode Standard, Version 5.2.0", (Mountain View, CA: The Unicode Consortium, 2009. ISBN 978-1-936213-00-9). for Unicode. Probably worth pointing to Unicode 6.0 though. I think RFC 20 is Ok. . From ietf@adambarth.com Tue Aug 23 11:37:44 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C56521F8B91 for ; Tue, 23 Aug 2011 11:37:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.221 X-Spam-Level: X-Spam-Status: No, score=-3.221 tagged_above=-999 required=5 tests=[AWL=-0.244, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTHXw9YwvIED for ; Tue, 23 Aug 2011 11:37:43 -0700 (PDT) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 8907C21F8B8A for ; Tue, 23 Aug 2011 11:37:43 -0700 (PDT) Received: by gwb20 with SMTP id 20so374597gwb.31 for ; Tue, 23 Aug 2011 11:38:51 -0700 (PDT) Received: by 10.42.29.69 with SMTP id q5mr4022365icc.353.1314124731589; Tue, 23 Aug 2011 11:38:51 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx.google.com with ESMTPS id p11sm79654ibf.13.2011.08.23.11.38.50 (version=SSLv3 cipher=OTHER); Tue, 23 Aug 2011 11:38:50 -0700 (PDT) Received: by iye1 with SMTP id 1so518151iye.27 for ; Tue, 23 Aug 2011 11:38:50 -0700 (PDT) Received: by 10.231.85.12 with SMTP id m12mr8234586ibl.60.1314124730132; Tue, 23 Aug 2011 11:38:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.41.207 with HTTP; Tue, 23 Aug 2011 11:38:20 -0700 (PDT) In-Reply-To: <4E52183F.8030900@isode.com> References: <4E248B9C.1070701@gondrom.org> <4E4FF470.2030804@isode.com> <4E52183F.8030900@isode.com> From: Adam Barth Date: Tue, 23 Aug 2011 11:38:20 -0700 Message-ID: To: Alexey Melnikov Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 18:37:44 -0000 On Mon, Aug 22, 2011 at 1:50 AM, Alexey Melnikov wrote: > Hi Adam, > > Adam Barth wrote: > >> On Sat, Aug 20, 2011 at 10:52 AM, Alexey Melnikov >> wrote: >> >>> >>> Adam Barth wrote: >>> >>>> >>>> I've upload a new version of the draft, which incorporates all the >>>> feedback I've received: >>>> >>>> http://www.ietf.org/id/draft-ietf-websec-origin-03.txt >>>> >>>> Please let me know if I've missed any feedback. >>>> >>> >>> Hi Adam, >>> Sorry, I forgot to send out my comments on -02: >>> >>> 3.2.1. =A0Examples >>> >>> All of the following resources have the same origin: >>> >>> >>> http://example.com/ >>> http://example.com:80/ >>> http://example.com/path/file >>> http://example.com/ >>> >>> The first and the last example are identical, was this intentional? >>> >> >> Nope. =A0Fixed. >> >>> >>> 4. =A0Origin of a URI >>> >>> The origin of a URI is the value computed by the following algorithm: >>> >>> 1. =A0If the URI does not use a server-based naming authority, or if >>> =A0 =A0the URI is not an absolute URI, then return a globally unique >>> =A0 =A0identifier. >>> >>> [...] >>> >>> 6. =A0If there is no port component of the URI: >>> >>> =A0 =A01. =A0Let uri-port be the default port for the protocol given by >>> =A0 =A0 =A0 =A0uri-scheme. >>> >>> =A0 =A0Otherwise: >>> >>> =A0 =A02. =A0Let uri-port be the port component of the URI. >>> >>> I know this is an obscure case, but what will this algorithm return for= a >>> mailto URI (assuming that it is supported)? I am not entirely clear tha= t >>> # 1 >>> applies here. >>> >> >> It's a globally unique identifier. =A0mailto doesn't use a server-based >> naming authority. =A0For example, here's a nutty mailto URI: >> >> mailto:alexey.melnikov@isode.com,websec@ietf.org >> >> Although the common case of mailto URLs does contain the name of a >> single server, the general case doesn't. =A0(Admitted, this probably >> isn't as clearly defined as it could be. >> > Exactly my point. At first I thought that you meant URI scheme which allo= ws > for the component, but it seems like you are trying to define= a > wider category. I've reworked this phrase to more directly reference Section 3.2 of RFC3986 (and I added an explicit reference). >>> 6. =A0Serializing Origins >>> >>> This section defines how to serialize an origin to a unicode string >>> and to an ASCII string. >>> >>> Both Unicode and ASCII need references, I think they are normative. >>> >> >> Ok. =A0Are these the best references? >> >> =A0 =A0 This section defines how to serialize an origin to a unicode = > =A0 =A0 target=3D"RFC5198" /> string and to an ASCII >> =A0 =A0 string. >> > > Something like: > > =A0[Unicode52] =A0The Unicode Consortium. =A0The Unicode Standard, Versio= n > =A0 =A0 =A0 =A0 =A0 =A0 =A0 5.2.0, defined by: "The Unicode Standard, Ver= sion > =A0 =A0 =A0 =A0 =A0 =A0 =A0 5.2.0", (Mountain View, CA: The Unicode Conso= rtium, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 2009. ISBN 978-1-936213-00-9). > > for Unicode. Probably worth pointing to Unicode 6.0 though. > > I think RFC 20 is Ok. > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 . Done. Adam From internet-drafts@ietf.org Tue Aug 23 11:49:32 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB09121F8C54; Tue, 23 Aug 2011 11:49:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.553 X-Spam-Level: X-Spam-Status: No, score=-102.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AumklVtkoMDO; Tue, 23 Aug 2011 11:49:32 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7856221F8C1B; Tue, 23 Aug 2011 11:49:32 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.59 Message-ID: <20110823184932.28386.85362.idtracker@ietfa.amsl.com> Date: Tue, 23 Aug 2011 11:49:32 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-origin-04.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 18:49:33 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IET= F. Title : The Web Origin Concept Author(s) : Adam Barth Filename : draft-ietf-websec-origin-04.txt Pages : 25 Date : 2011-08-23 This document defines the concept of an "origin", which is oft= en used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates w= hich origins are associated with an HTTP request. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-websec-origin-04.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-origin-04.txt From tobias.gondrom@gondrom.org Tue Aug 23 13:09:22 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD5C121F8CD1 for ; Tue, 23 Aug 2011 13:09:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -96.254 X-Spam-Level: X-Spam-Status: No, score=-96.254 tagged_above=-999 required=5 tests=[AWL=0.524, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irGe2R1FICtx for ; Tue, 23 Aug 2011 13:09:21 -0700 (PDT) Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id 622EA21F8CCA for ; Tue, 23 Aug 2011 13:09:21 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nSR1w8VDdHgJhrW6vyf8Y4SecARZuXOOpM5gxRMWlZ3+2pIU0C2aBnTnjR7PsvQ7cHCrnn9Z3Vlreq63IOaZfNZgBEZzgwizZ0/3D41zFEDk4g3dLaQOLnvYfi/Dl0Rf; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:X-Priority:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; Received: (qmail 7874 invoked from network); 23 Aug 2011 22:09:42 +0200 Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.66?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Aug 2011 22:09:42 +0200 Message-ID: <4E540906.3050101@gondrom.org> Date: Tue, 23 Aug 2011 21:09:42 +0100 From: Tobias Gondrom User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: websec@ietf.org X-Priority: 4 (Low) References: <20110823184932.28386.85362.idtracker@ietfa.amsl.com> In-Reply-To: <20110823184932.28386.85362.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [websec] I-D Action: draft-ietf-websec-origin-04.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 20:09:22 -0000 Hi dear websec fellows, fyi: thank you very much for your reviews and feedback on the origin draft. I hope that all your feedback was incorporated to your satisfaction, at least as far as I could see that was the case. After conclusion of the WG last call on the draft, I submitted the draft to the IESG for IETF LC. As next steps, maybe we can also take a closer look at HSTS (a new revised version should be coming very shortly) and at the framework-requirements and advance them. So if you think about reviewing drafts this week, maybe take a look at the framework-requirements draft first. ;-) http://tools.ietf.org/id/draft-hodges-websec-framework-reqs-00.txt Many greetings, Tobias (websec co-chair) Ps.: Personally, I will also try to work on the Frame-Options draft(s) and aim to submit (revised) versions within two weeks time. On 23/08/11 19:49, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Web Security Working Group of the IETF. > > Title : The Web Origin Concept > Author(s) : Adam Barth > Filename : draft-ietf-websec-origin-04.txt > Pages : 25 > Date : 2011-08-23 > > This document defines the concept of an"origin", which is often used > as the scope of authority or privilege by user agents. Typically, > user agents isolate content retrieved from different origins to > prevent malicious web site operators from interfering with the > operation of benign web sites. In addition to outlining the > principles that underlie the concept of origin, this document defines > how to determine the origin of a URI, how to serialize an origin into > a string, and an HTTP header, named"Origin", that indicates which > origins are associated with an HTTP request. > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-websec-origin-04.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-websec-origin-04.txt > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec From iesg-secretary@ietf.org Tue Aug 23 14:19:54 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1356321F8D7B; Tue, 23 Aug 2011 14:19:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.535 X-Spam-Level: X-Spam-Status: No, score=-102.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-aUs1Fn9Zn5; Tue, 23 Aug 2011 14:19:53 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A1521F8B35; Tue, 23 Aug 2011 14:19:53 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 3.59 Message-ID: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> Date: Tue, 23 Aug 2011 14:19:53 -0700 Cc: websec@ietf.org Subject: [websec] Last Call: (The Web Origin Concept) to Proposed Standard X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ietf@ietf.org List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2011 21:19:54 -0000 The IESG has received a request from the Web Security WG (websec) to consider the following document: - 'The Web Origin Concept' as a Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2011-09-06. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document defines how to determine the origin of a URI, how to serialize an origin into a string, and an HTTP header, named "Origin", that indicates which origins are associated with an HTTP request. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-websec-origin/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-websec-origin/ No IPR declarations have been submitted directly on this I-D. From gerv@mozilla.org Wed Aug 24 01:53:26 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E4C21F8B33 for ; Wed, 24 Aug 2011 01:53:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LEDw-5GmZz8p for ; Wed, 24 Aug 2011 01:53:25 -0700 (PDT) Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by ietfa.amsl.com (Postfix) with ESMTP id A3FBB21F8B29 for ; Wed, 24 Aug 2011 01:53:25 -0700 (PDT) Received: from [192.168.0.22] (cpc3-enfi7-0-0-cust199.hari.cable.virginmedia.com [82.45.122.200]) (Authenticated sender: gerv@mozilla.org) by dm-mail03.mozilla.org (Postfix) with ESMTP id 3D7144AEE28; Wed, 24 Aug 2011 01:54:35 -0700 (PDT) Message-ID: <4E54BC49.5020207@mozilla.org> Date: Wed, 24 Aug 2011 09:54:33 +0100 From: Gervase Markham User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110808 Thunderbird/6.0 MIME-Version: 1.0 To: Adam Barth References: <4E248B9C.1070701@gondrom.org> <4E4FF470.2030804@isode.com> <4E52183F.8030900@isode.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2011 08:53:26 -0000 Hi Adam, I've only just read this document; I didn't realise it contained a dis-recommendation for the use of the Public Suffix List. I couldn't see in the document any other way of allowing two non-identical but related origins to collaborate. Do you have a recommendation for this use case (a number of sites across the same company, and so on)? It's rather an important one on the web today. Gerv From ietf@adambarth.com Wed Aug 24 02:11:04 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A6421F8785 for ; Wed, 24 Aug 2011 02:11:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.206 X-Spam-Level: X-Spam-Status: No, score=-3.206 tagged_above=-999 required=5 tests=[AWL=-0.229, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GoNyKwyyNAF for ; Wed, 24 Aug 2011 02:11:04 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 185D121F8770 for ; Wed, 24 Aug 2011 02:11:03 -0700 (PDT) Received: by gyf3 with SMTP id 3so873698gyf.31 for ; Wed, 24 Aug 2011 02:12:11 -0700 (PDT) Received: by 10.43.45.70 with SMTP id uj6mr4465849icb.8.1314177131231; Wed, 24 Aug 2011 02:12:11 -0700 (PDT) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx.google.com with ESMTPS id lr4sm653118icb.8.2011.08.24.02.12.09 (version=SSLv3 cipher=OTHER); Wed, 24 Aug 2011 02:12:09 -0700 (PDT) Received: by iye1 with SMTP id 1so1574534iye.27 for ; Wed, 24 Aug 2011 02:12:09 -0700 (PDT) Received: by 10.231.63.6 with SMTP id z6mr9559853ibh.99.1314177129109; Wed, 24 Aug 2011 02:12:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.41.207 with HTTP; Wed, 24 Aug 2011 02:11:39 -0700 (PDT) In-Reply-To: <4E54BC49.5020207@mozilla.org> References: <4E248B9C.1070701@gondrom.org> <4E4FF470.2030804@isode.com> <4E52183F.8030900@isode.com> <4E54BC49.5020207@mozilla.org> From: Adam Barth Date: Wed, 24 Aug 2011 02:11:39 -0700 Message-ID: To: Gervase Markham Content-Type: text/plain; charset=ISO-8859-1 Cc: websec@ietf.org Subject: Re: [websec] WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2011 09:11:04 -0000 On Wed, Aug 24, 2011 at 1:54 AM, Gervase Markham wrote: > I've only just read this document; I didn't realise it contained a > dis-recommendation for the use of the Public Suffix List. > > I couldn't see in the document any other way of allowing two > non-identical but related origins to collaborate. Do you have a > recommendation for this use case (a number of sites across the same > company, and so on)? It's rather an important one on the web today. Cross-Origin Resource Sharing is an excellent way of collaborating between multiple origins: http://www.w3.org/TR/cors/ In any case, nothing in this document changes how cookies work. The IETF recently published RFC6265, which explicitly mentions the use of the public suffix list. Similarly, HTML continues to require support for document.domain, which also uses the public suffix list. The purpose of this text in this document is to caution against creating more such reliance on the public suffix list. Instead, the verified origin approach (e.g., as used in CORS and CSP) is a much more robust way of addressing many of the same use cases. Adam From julian.reschke@gmx.de Thu Aug 25 09:31:13 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBF0321F862F for ; Thu, 25 Aug 2011 09:31:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.126 X-Spam-Level: X-Spam-Status: No, score=-104.126 tagged_above=-999 required=5 tests=[AWL=-1.527, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H29rYDEvK4oL for ; Thu, 25 Aug 2011 09:31:13 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id BA4B121F8620 for ; Thu, 25 Aug 2011 09:31:12 -0700 (PDT) Received: (qmail invoked by alias); 25 Aug 2011 16:32:25 -0000 Received: from p508F9FF9.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.159.249] by mail.gmx.net (mp064) with SMTP; 25 Aug 2011 18:32:25 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX19L+NdgjCJLLBVWXvenrAmu1DxwAcyrJfhlzK1DO6 ONgGuk24XtRmpX Message-ID: <4E567918.4090707@gmx.de> Date: Thu, 25 Aug 2011 18:32:24 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: ietf@ietf.org References: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> In-Reply-To: <20110823211953.14482.9265.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: websec@ietf.org Subject: Re: [websec] Last Call: (The Web Origin Concept) to Proposed Standard X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2011 16:31:14 -0000 Below a few late comments.. 6. Serializing Origins - It really really seems that the two algorithms need to be swapped (the first one converts to ASCII, but the second does not). - Also, I'd prefer a declarative definition. 7. The HTTP Origin header - header *field* - the syntax doesn't allow multiple header fields, and the prose says clients MUST NOT generate them; what is the recipient supposed to do when it get's multiple instances anyway? Is the default approach (ignoring them all) good enough? Do we need to warn recipients so that they check? 11. References - the WEBSOCKETS reference should be updated (if a new draft is produced) Best regards, Julian From julian.reschke@gmx.de Fri Aug 26 01:07:09 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D2221F8B15 for ; Fri, 26 Aug 2011 01:07:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.184 X-Spam-Level: X-Spam-Status: No, score=-104.184 tagged_above=-999 required=5 tests=[AWL=-1.585, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VU30yV1EwpK for ; Fri, 26 Aug 2011 01:07:09 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id A088F21F8B14 for ; Fri, 26 Aug 2011 01:07:08 -0700 (PDT) Received: (qmail invoked by alias); 26 Aug 2011 08:08:21 -0000 Received: from p508FA4C2.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.164.194] by mail.gmx.net (mp067) with SMTP; 26 Aug 2011 10:08:21 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/pGYpmmMrp6RC9Ik71HTOnXJrUXB7zJbaUstLdNZ fSX5XAwyqfHtWP Message-ID: <4E575475.30609@gmx.de> Date: Fri, 26 Aug 2011 10:08:21 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: Adam Barth References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <4E573FF2.5000203@gmx.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: public-web-security , websec Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 08:07:09 -0000 On 2011-08-26 09:58, Adam Barth wrote: > ... > That could well be important if the Origin header is used in other > protocols, such as CORS. Would you recommend requiring the first or > the last instance? > ... (cc'ing the IETF WG; I was replying to the wrong email thread) I think the right thing to do would be to recommend one of: - treat the message as invalid, or - ignore the header field (whatever that means...). Picking one of the two seems to be the wrong approach. Best regards, Julian From ietf@adambarth.com Fri Aug 26 01:12:13 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E05621F8B14 for ; Fri, 26 Aug 2011 01:12:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.194 X-Spam-Level: X-Spam-Status: No, score=-3.194 tagged_above=-999 required=5 tests=[AWL=-0.217, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A+bOk3seoc0v for ; Fri, 26 Aug 2011 01:12:11 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id D007C21F8B0D for ; Fri, 26 Aug 2011 01:12:11 -0700 (PDT) Received: by gyf3 with SMTP id 3so3022209gyf.31 for ; Fri, 26 Aug 2011 01:13:27 -0700 (PDT) Received: by 10.150.2.8 with SMTP id 8mr2094412ybb.234.1314346407146; Fri, 26 Aug 2011 01:13:27 -0700 (PDT) Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id r28sm1875088yhm.24.2011.08.26.01.13.26 (version=SSLv3 cipher=OTHER); Fri, 26 Aug 2011 01:13:26 -0700 (PDT) Received: by gyf3 with SMTP id 3so3022193gyf.31 for ; Fri, 26 Aug 2011 01:13:26 -0700 (PDT) Received: by 10.231.2.194 with SMTP id 2mr1709733ibk.38.1314346406115; Fri, 26 Aug 2011 01:13:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.208.69 with HTTP; Fri, 26 Aug 2011 01:12:56 -0700 (PDT) In-Reply-To: <4E575475.30609@gmx.de> References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <4E573FF2.5000203@gmx.de> <4E575475.30609@gmx.de> From: Adam Barth Date: Fri, 26 Aug 2011 01:12:56 -0700 Message-ID: To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 08:12:13 -0000 [-public-web-security, to avoid cross-posting too much] On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke wro= te: > On 2011-08-26 09:58, Adam Barth wrote: >> ... >> That could well be important if the Origin header is used in other >> protocols, such as CORS. =A0Would you recommend requiring the first or >> the last instance? >> ... > > (cc'ing the IETF WG; I was replying to the wrong email thread) > > I think the right thing to do would be to recommend one of: > > - treat the message as invalid, or > > - ignore the header field (whatever that means...). > > Picking one of the two seems to be the wrong approach. Ok. Maybe the best solution is to treat the header as if it contained the value "null", which basically means the server doesn't know which origin sent the message. That what we recommend user agents do when they get confused about what value to put in the header. Adam From julian.reschke@gmx.de Fri Aug 26 01:48:50 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1ADF21F8B24 for ; Fri, 26 Aug 2011 01:48:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.169 X-Spam-Level: X-Spam-Status: No, score=-104.169 tagged_above=-999 required=5 tests=[AWL=-1.570, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NNZ02Xj-zlF for ; Fri, 26 Aug 2011 01:48:50 -0700 (PDT) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id D5CA621F8B0D for ; Fri, 26 Aug 2011 01:48:49 -0700 (PDT) Received: (qmail invoked by alias); 26 Aug 2011 08:50:03 -0000 Received: from p508FA4C2.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.164.194] by mail.gmx.net (mp014) with SMTP; 26 Aug 2011 10:50:03 +0200 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/M3r5olhvMtjcFvwvUS6oAk4VRLi3ukqdOpt7xIE wB8a5mDIKKhadS Message-ID: <4E575E3C.4020801@gmx.de> Date: Fri, 26 Aug 2011 10:50:04 +0200 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20110812 Thunderbird/6.0 MIME-Version: 1.0 To: Adam Barth References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <4E573FF2.5000203@gmx.de> <4E575475.30609@gmx.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: websec Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 08:48:50 -0000 On 2011-08-26 10:12, Adam Barth wrote: > [-public-web-security, to avoid cross-posting too much] > > On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke wrote: >> On 2011-08-26 09:58, Adam Barth wrote: >>> ... >>> That could well be important if the Origin header is used in other >>> protocols, such as CORS. Would you recommend requiring the first or >>> the last instance? >>> ... >> >> (cc'ing the IETF WG; I was replying to the wrong email thread) >> >> I think the right thing to do would be to recommend one of: >> >> - treat the message as invalid, or >> >> - ignore the header field (whatever that means...). >> >> Picking one of the two seems to be the wrong approach. > > Ok. Maybe the best solution is to treat the header as if it contained > the value "null", which basically means the server doesn't know which > origin sent the message. That what we recommend user agents do when > they get confused about what value to put in the header. > ... It just occurred to me that this will be hard to do in some cases. Intermediaries/middleware/libraries are allowed to collapse multiple headers into a single one, so Origin: http://example.com Origin: b would be combined to Origin: http://example.com,b The "," is allowed in reg-name, so you can't detect this as invalid. Best regards, Julian From ietf@adambarth.com Fri Aug 26 02:04:10 2011 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A7821F89BA for ; Fri, 26 Aug 2011 02:04:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.182 X-Spam-Level: X-Spam-Status: No, score=-3.182 tagged_above=-999 required=5 tests=[AWL=-0.205, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id svWysfTwZOnP for ; Fri, 26 Aug 2011 02:04:10 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id DCEED21F886F for ; Fri, 26 Aug 2011 02:04:09 -0700 (PDT) Received: by vxi29 with SMTP id 29so3016724vxi.31 for ; Fri, 26 Aug 2011 02:05:25 -0700 (PDT) Received: by 10.52.115.226 with SMTP id jr2mr756904vdb.408.1314349525295; Fri, 26 Aug 2011 02:05:25 -0700 (PDT) Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by mx.google.com with ESMTPS id 3sm646890vcu.16.2011.08.26.02.05.24 (version=SSLv3 cipher=OTHER); Fri, 26 Aug 2011 02:05:25 -0700 (PDT) Received: by qwc23 with SMTP id 23so2234900qwc.31 for ; Fri, 26 Aug 2011 02:05:24 -0700 (PDT) Received: by 10.43.133.70 with SMTP id hx6mr938323icc.134.1314349524096; Fri, 26 Aug 2011 02:05:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.208.69 with HTTP; Fri, 26 Aug 2011 02:04:54 -0700 (PDT) In-Reply-To: <4E575E3C.4020801@gmx.de> References: <4E248B9C.1070701@gondrom.org> <860551CF-FC8D-4C82-86ED-04E1AF4293E3@w3.org> <4E553839.1000302@stpeter.im> <4E566BBD.5010507@gmx.de> <4E573FF2.5000203@gmx.de> <4E575475.30609@gmx.de> <4E575E3C.4020801@gmx.de> From: Adam Barth Date: Fri, 26 Aug 2011 02:04:54 -0700 Message-ID: To: Julian Reschke Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: websec Subject: Re: [websec] LC nits on draft-ietf-websec-origin-04, Re: Fwd: WG Last Call on draft-ietf-websec-origin-02 until Aug-15 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2011 09:04:11 -0000 On Fri, Aug 26, 2011 at 1:50 AM, Julian Reschke wro= te: > On 2011-08-26 10:12, Adam Barth wrote: >> >> [-public-web-security, to avoid cross-posting too much] >> >> On Fri, Aug 26, 2011 at 1:08 AM, Julian Reschke >> =A0wrote: >>> >>> On 2011-08-26 09:58, Adam Barth wrote: >>>> >>>> ... >>>> That could well be important if the Origin header is used in other >>>> protocols, such as CORS. =A0Would you recommend requiring the first or >>>> the last instance? >>>> ... >>> >>> (cc'ing the IETF WG; I was replying to the wrong email thread) >>> >>> I think the right thing to do would be to recommend one of: >>> >>> - treat the message as invalid, or >>> >>> - ignore the header field (whatever that means...). >>> >>> Picking one of the two seems to be the wrong approach. >> >> Ok. =A0Maybe the best solution is to treat the header as if it contained >> the value "null", which basically means the server doesn't know which >> origin sent the message. =A0That what we recommend user agents do when >> they get confused about what value to put in the header. >> ... > > It just occurred to me that this will be hard to do in some cases. > > Intermediaries/middleware/libraries are allowed to collapse multiple head= ers > into a single one, so > > =A0Origin: http://example.com > =A0Origin: b > > would be combined to > > =A0Origin: http://example.com,b > > The "," is allowed in reg-name, so you can't detect this as invalid. Correct. That's why we forbid user agents from generating those requests. Adam