IETF Logo Mail Archive

[hybi] Concerns about Origin

"Simon Pieters" <simonp@opera.com> Mon, 22 November 2010 13:07 UTC

Return-Path: <simonp@opera.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 731DC3A6A80 for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 05:07:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.185
X-Spam-Level:
X-Spam-Status: No, score=-4.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wii+jZzuH2wN for <hybi@core3.amsl.com>; Mon, 22 Nov 2010 05:07:08 -0800 (PST)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 2255B3A6A4A for <hybi@ietf.org>; Mon, 22 Nov 2010 05:07:06 -0800 (PST)
Received: from simon-pieterss-macbook.local (oslo.jvpn.opera.com [213.236.208.46]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id oAMD80Ai007942 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <hybi@ietf.org>; Mon, 22 Nov 2010 13:08:01 GMT
Content-Type: text/plain; charset="utf-8"; format="flowed"; delsp="yes"
To: "hybi@ietf.org" <hybi@ietf.org>
Date: Mon, 22 Nov 2010 14:08:35 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: Simon Pieters <simonp@opera.com>
Message-ID: <op.vmkpgllmidj3kv@simon-pieterss-macbook.local>
User-Agent: Opera Mail/10.63 (MacIntel)
X-Scanned-By: MIMEDefang 2.64 on 213.236.208.81
Subject: [hybi] Concerns about Origin
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 13:07:13 -0000

One thing I'm concerned about with websockets is that most generic  
websocket servers seem to just echo the Origin value in  
Sec-WebSocket-Origin without giving an obvious way for the app writer to  
restrict which Origins to allow, let alone making it clear to the app  
writer that it is his responsibility to restrict connections from  
different origins.

So people might assume that "websockets uses origin-based security model"  
and go ahead and assume that the browser will disallow connections from  
other origins.

I think the spec should be even clearer that it is the server's  
responsibility to restrict connections from unwanted origins, and that  
browsers will happily attempt to connect to cross-origin websocket  
servers, which in practice will lead to sites being trivially vulnerable  
to attacks from other Web pages. I think it might be good to suggest that  
generic websocket servers should force the app writer to consider which  
origins he wishes to allow connections from.

For instance, in pywebsocket, the default handshake impl echos the origin,  
and the sample app always allows the connection.

http://code.google.com/p/pywebsocket/source/browse/trunk/src/mod_pywebsocket/handshake/handshake.py#196
http://code.google.com/p/pywebsocket/source/browse/trunk/src/example/echo_wsh.py#35

I think it would be better if web_socket_do_extra_handshake required an  
extra parameter (or something) about which origins to allow (maybe with a  
regexp or a list of strings or a string with comma-separated origins with  
a special value like "allow-all-origins").

-- 
Simon Pieters
Opera Software

v2.23.0 | Report a Bug | By Email