Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deny off-domain redirects #55

Open
msporny opened this issue Dec 17, 2021 · 1 comment
Open

Deny off-domain redirects #55

msporny opened this issue Dec 17, 2021 · 1 comment

Comments

@msporny
Copy link
Contributor

msporny commented Dec 17, 2021

It has been proposed that DID Web resolution follows HTTP redirects. If this is true, then there are security implications for blindly following re-directs. For example, if a redirect sends you off of the original domain then it allows an attacker to compromise a site merely by controlling the redirect rules rather than placing a file on the site. If we don't allow redirects off of the original domain, it makes it difficult to move a DID Web ID to a different domain in the future. There are trade-offs each way.

One solution to the problem is to restrict redirects for now until we have more experience for redirecting off of the original domain (we may choose to never do this).

One potential algorithm would be:

  1. Do not allow re-directs.

Another potential algorithm would be:

  1. When resolving a DID Web URL, store the original request URL.
  2. Allow re-directions up to N times (to prevent redirect loops). For each re-direct, ensure that the domain does not change, this includes ensuring port numbers don't change (you can't go from port 80 to port 8080).
  3. The final resolved DID Web DID Document must contain an id field that matches the initial canonicalized DID Web URL (see issue Canonical URL algorithm needed for did:web id field #54).

I haven't put a great deal of thought into all the attack vectors for redirects yet, just trying to propose something that can be refined in this issue.

@gribneau
Copy link
Contributor

-1 on following HTTP 3xx redirects.

Returning any 3xx redirect response requires server configuration. An internal rewrite can be accomplished with similar effort, and does not require the client to make another request to a new target URL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants