Summary: | Add origin header to POST requests | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Barth <abarth> | ||||||||||
Component: | Forms | Assignee: | Collin Jackson <collinj> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | abarth, andersca, ap, beidson, collinj, darin, mjs, pswag994, sam | ||||||||||
Priority: | P2 | ||||||||||||
Version: | 528+ (Nightly build) | ||||||||||||
Hardware: | All | ||||||||||||
OS: | All | ||||||||||||
URL: | http://crypto.stanford.edu/websec/csrf/ | ||||||||||||
Attachments: |
|
Description
Adam Barth
2008-09-11 23:09:43 PDT
Created attachment 23364 [details]
patch
Here is a simple implementation.
Comment on attachment 23364 [details]
patch
Removing review flag because this patch doesn't properly handle HTTPS -> HTTP requests.
For reference, here is the Mozilla bug on this topic: https://bugzilla.mozilla.org/show_bug.cgi?id=446344 Here are Brandon Sterne's thoughts on the topic: http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html What is the desired behavior for HTTPS -> HTTP requests? we'd like the header to be like Origin: https://www.example.com The current patch shows "null". Keep in mind that this case only occurs if the user clicks through the "insecure form submission" dialog. Created attachment 23646 [details]
Updated patch
We updated the patch to attach an Origin header to POST requests even if the referrer is suppressed. We also added some more tests. The origin-header-for-xmlhttprequest.html test shows the Origin header getting attached to XMLHttpRequest GET requests -- I need to investigate whether this is a bug or a feature.
(In reply to comment #6) > The origin-header-for-xmlhttprequest.html test shows the Origin header getting > attached to XMLHttpRequest GET requests -- I need to investigate whether this > is a bug or a feature. This occurs in the latest nightly without this patch, so it's a feature. :) (In reply to comment #7) > This occurs in the latest nightly without this patch, so it's a feature. :) This patch is currently attaching an Origin header to same-origin GET XMLHttpRequests that's not already present in the nightly. Cross-origin GET requests are unaffected by this patch. Comment on attachment 23646 [details]
Updated patch
+ // Don't send an Origin header for GET or HEAD to avoid privacy issues.
This comment could use a little more information. What privacy issues future me may wonder?
- request.setHTTPHeaderField("Origin", accessControlOrigin());
+ request.setHTTPHeaderField("Origin", m_doc->securityOrigin()->toHTTPOrigin());
This can use request .setHTTPOrigin().
- request.setHTTPHeaderField("Origin", accessControlOrigin());
+ request.setHTTPHeaderField("Origin", m_doc->securityOrigin()->toHTTPOrigin());
As can this.
This doesn't break sending the origin for XHR does it?
Otherwise, awesome! I think one other person should review these changes as well, as I am far from an authority on FrameLoader. Brady, Anders, Darin, or Maciej?
Created attachment 23743 [details]
baseline for XHR origin behavior
Created attachment 23744 [details]
updated patch
Patch updated with Sam's comments. Also, I added a bunch of tests for the Origin header behavior for XHR. I split this into two patches so you can see exactly how this patch changes the behavior. (The previous patch messed up the XHR behavior a bit, so I tweaked a few things.)
Has this been proposed to the HTTP Working Group or another appropriate standards body? I like the idea but I'd like to make sure we put it on track to being officially placed in the appropriate standard. We proposed this informally to the webapps working group a number of months ago, which (I think) is how Mozilla got interested in implementing this. It wasn't clear which spec would be most appropriate. The computation of the header value is speced in HTML 5 for postMessage and for use by cross-site XHR. I doubt the HTTP Working Group want an dependency on HTML 5. :) It is part of Access Control for Cross-Site Requests and I will make sure it is registered as an official HTTP header in due course. (It won't be part of the HTTP specification of course, but other specifications can register header names.) Comment on attachment 23744 [details]
updated patch
The biggest problem is that this sprinkles calls to a new function all over the loader classes. I'm concerned that we have to add the addHTTPOriginIfNeeded function call in so many places. It seems to me that will be hard to maintain -- it will be very easy to introduce a security problem by forgetting to add a call to that function. Is there any way to streamline this? I suppose we have the same issue with the referrer, but it's not even true that these are all the sites that set the referrer!
The loader is already not so great in this respect, but it seems this patch makes it even worse.
+ RefPtr<SecurityOrigin> origin = SecurityOrigin::createEmpty();
+ return origin->toHTTPOrigin();
The local variable isn't needed and the code would read more cleanly without it.
+ // Make sure we send the Origin header properly.
+ addHTTPOriginIfNeeded(request, String());
I don't understand the meaning of the word "properly" in this comment.
+ // will leak the internal host name. Similar privacy concerns have lead
+ // header. This is similar to toString(), except that the empty
We normally don't use two spaces between sentences in comments.
+ RefPtr<SecurityOrigin> emptyOrigin = SecurityOrigin::createEmpty();
+ origin = emptyOrigin->toHTTPOrigin();
The local variable isn't needed and the code would read more cleanly without it. Maybe also a helper function named SecurityOrigin::emptyHTTPOrigin() would be good?
+ // SecurityOrigin is represetned as the string "null".
Typo: "represetned".
I'm going to say review+ despite my comments and minor concerns.
Fixed in r37317. I definitely agree that FrameLoader needs to be reorganized, but it's a bit too big a project for me to take right now. |