Same Origin Policy and Basic/Digest Authentication
Cross Site HTTP Authentication seems to be one attack vector that’s often overlooked across the web.
The attack vector is quite simple. When the WWW-Authenticate is presented to the browser, it will prompt the user for a user name and password and send it back to the requester. This is a problem because when a webpage is loaded, any external resource requested by that page can request HTTP Authentication and trigger this dialog.
There are two ways we can address this issue. Captain obvious says that we should only load trusted resources. This is excellent advice and should be done anyways for countless reasons.
We can also ask browser venders to disallow HTTP Authentication for external resources loaded by a webpage by following a variant of the same-origin-policy.
Proposed change in user agent behavior
When the page http://good.com/resource is rendered, the following table outlines how external resources (requiring Authentication) could be treated. RFC 2617 should be updated to account for these cases.
| URL | Auth | Result | |
http://evil.com/auth.png |
FAILURE | Different domain | |
http://good.com/auth.png |
SUCCESS | Same domain | |
ws://good.com/secure.html |
FAILURE | Different protocol | |
http://good.com:99/auth.png |
FAILURE | Different port | |
http://1.good.com/auth.png |
FAILURE | Different host |
References
- RFC 2616 (Hypertext Transfer Protocol – HTTP/1.1)
- RFC 2617 (HTTP Authentication: Basic and Digest Access Authentication).
- Caja: http://code.google.com/p/google-caja/wiki/PhishingViaCrossSiteHttpAuth
- The Web Origin Concept: http://tools.ietf.org/html/draft-abarth-origin-06
Google+
Pingback: louis vuitton outlet locations