You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It has been proposed that DID Web resolution follows HTTP redirects. If this is true, then there are security implications for blindly following re-directs. For example, if a redirect sends you off of the original domain then it allows an attacker to compromise a site merely by controlling the redirect rules rather than placing a file on the site. If we don't allow redirects off of the original domain, it makes it difficult to move a DID Web ID to a different domain in the future. There are trade-offs each way.
One solution to the problem is to restrict redirects for now until we have more experience for redirecting off of the original domain (we may choose to never do this).
One potential algorithm would be:
Do not allow re-directs.
Another potential algorithm would be:
When resolving a DID Web URL, store the original request URL.
Allow re-directions up to N times (to prevent redirect loops). For each re-direct, ensure that the domain does not change, this includes ensuring port numbers don't change (you can't go from port 80 to port 8080).
I haven't put a great deal of thought into all the attack vectors for redirects yet, just trying to propose something that can be refined in this issue.
The text was updated successfully, but these errors were encountered:
Returning any 3xx redirect response requires server configuration. An internal rewrite can be accomplished with similar effort, and does not require the client to make another request to a new target URL.
It has been proposed that DID Web resolution follows HTTP redirects. If this is true, then there are security implications for blindly following re-directs. For example, if a redirect sends you off of the original domain then it allows an attacker to compromise a site merely by controlling the redirect rules rather than placing a file on the site. If we don't allow redirects off of the original domain, it makes it difficult to move a DID Web ID to a different domain in the future. There are trade-offs each way.
One solution to the problem is to restrict redirects for now until we have more experience for redirecting off of the original domain (we may choose to never do this).
One potential algorithm would be:
Another potential algorithm would be:
id
field that matches the initial canonicalized DID Web URL (see issue Canonical URL algorithm needed for did:webid
field #54).I haven't put a great deal of thought into all the attack vectors for redirects yet, just trying to propose something that can be refined in this issue.
The text was updated successfully, but these errors were encountered: