-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Circumventing Origin restriction with proxies #34
Comments
For webid-oidc this is not a problem, because the token that the web app obtains is specific to both webid and app origin. A web app can only obtain a token that is tied to its own origin. For webid-tls, I don't know, I'll find out! |
Do you refer to |
This is a reason to move towards client-id based origin tokens. User client id as the origin |
solid/webid-oidc-spec#12 should address it, I will close this one once it gets resolved |
I have lots of OIDC context, but limited web-access-control. I threw out a straw man of removing from the spec this (since it might be adding a MUST that allows unauthorized access via proxy)
Dmitri mentioned that would face resistance as such. But a better alternative should be developed, then this language removed. A followup proposal that should be less controversial is to add a warning to the spec right before that MUST
|
Creating this as a placeholder, it's still incomplete in several aspects: * we should mention somewhere why PoP token issuer is better than Origin header (namely because of solid/web-access-control-spec#34) * we should mention that a PoP token is only valid if the issuer is listed in the id token's audiences (is this something the IDP checks and then signs for? I don't even know)
If a bad proxy does not forward the Origin header, then the CORS security is broken by the bad proxy. Don’t use or implement bad proxies. This does not change WAC. |
I'm describing here possibility of application running in a web browser intentionally using properly implemented proxy which by design allows it to advertise whatever Origin party providing the application wants that application to claim on requests. |
https://github.com/solid/web-access-control-spec#referring-to-origins-ie-web-apps
What about cases where 'malicious' app running in a browser uses a proxy to change the Origin header? I think it might work differently with WebID-OIDC and WebID-TLS.
Malicious app still would need to know which 'allowed' origin to use but let's consider scenario where it knows that 'allowed' origin and proxy sets header to it.
The text was updated successfully, but these errors were encountered: