Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Circumventing Origin restriction with proxies #34

Open
elf-pavlik opened this issue Dec 18, 2018 · 7 comments
Open

Circumventing Origin restriction with proxies #34

elf-pavlik opened this issue Dec 18, 2018 · 7 comments
Assignees

Comments

@elf-pavlik
Copy link
Member

https://github.com/solid/web-access-control-spec#referring-to-origins-ie-web-apps

When a compliant server receives a request from a web application running in a browser, the browser will send an extra warning HTTP header, the Origin header.

What about cases where 'malicious' app running in a browser uses a proxy to change the Origin header? I think it might work differently with WebID-OIDC and WebID-TLS.

Malicious app still would need to know which 'allowed' origin to use but let's consider scenario where it knows that 'allowed' origin and proxy sets header to it.

@michielbdejong
Copy link
Contributor

For webid-oidc this is not a problem, because the token that the web app obtains is specific to both webid and app origin. A web app can only obtain a token that is tied to its own origin.

For webid-tls, I don't know, I'll find out!

@elf-pavlik
Copy link
Member Author

Do you refer to aud field in ID Token? I don't know how exactly NSS uses it to verify client's origin, maybe @dmitrizagidulin can link to relevant code. I think of a case where NSS acts just as a Resource Server and app/client gets ID Token from some other OP which as I understand handles the client registration.

@jaxoncreed
Copy link

jaxoncreed commented Apr 4, 2019

This is a reason to move towards client-id based origin tokens. User client id as the origin

@elf-pavlik
Copy link
Member Author

solid/webid-oidc-spec#12 should address it, I will close this one once it gets resolved

@gobengo
Copy link

gobengo commented Apr 4, 2019

I have lots of OIDC context, but limited web-access-control.

I threw out a straw man of removing from the spec this (since it might be adding a MUST that allows unauthorized access via proxy)

When an Origin header is present then BOTH the authenticated agent AND the origin MUST be allowed access

Dmitri mentioned that would face resistance as such. But a better alternative should be developed, then this language removed.

A followup proposal that should be less controversial is to add a warning to the spec right before that MUST

WARNING: This normative language is at-risk of removal because it can be exploited. See this issue (link needed) for progress on a safe alternative.

michielbdejong added a commit to michielbdejong/webid-oidc-spec that referenced this issue Jun 18, 2019
Creating this as a placeholder, it's still incomplete in several aspects:
* we should mention somewhere why PoP token issuer is better than Origin header (namely because of solid/web-access-control-spec#34)
* we should mention that a PoP token is only valid if the issuer is listed in the id token's audiences (is this something the IDP checks and then signs for? I don't even know)
@csarven csarven self-assigned this May 17, 2021
@timbl
Copy link

timbl commented Jun 15, 2021

If a bad proxy does not forward the Origin header, then the CORS security is broken by the bad proxy. Don’t use or implement bad proxies. This does not change WAC.

@elf-pavlik
Copy link
Member Author

I'm describing here possibility of application running in a web browser intentionally using properly implemented proxy which by design allows it to advertise whatever Origin party providing the application wants that application to claim on requests.
Party providing (hosting) the application, is the same party which controls the proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants