Transfer CORS-RFC1918 and HSTS Priming to WICG


#1

We’ve been talking about https://github.com/mikewest/cors-rfc1918 and https://github.com/mikewest/hsts-priming in the Web Application Security WG for some time now. It would be lovely if we could transfer these documents to WICG to ensure that ongoing discussion is as open as possible.

CORS-RFC1918

Although [RFC1918] has specified a distinction between “private” and “public” internet addresses for over a decade, user agents haven’t made much progress at segregating the one from the other. Websites on the public internet can make requests to internal devices and servers, which enable a number of malicious behaviors, including attacks on users’ routers like those documented in [DRIVE-BY-PHARMING] (and, more recenly, [SOHO-PHARMING] and [CSRF-EXPLOIT-KIT]).

Here, we propose a mitigation against these kinds of attacks that would require internal devices to explicitly opt-in to requests from the public internet.

Blink has a partial implementation of this mechanism behind a flag.

HSTS Priming

This document spells out a mixed-content mitigation that would allow user agents to apply HSTS upgrades for insecure resources before applying mixed-content checks. Ideally, we’d be able to transparently upgrade HSTS’d resources for all sites rather than blocking them. It’s something of the inverse of Upgrade-Insecure-Requests: that mechanism allows a site to assert that its dependencies are secure, this mechanism allows a dependency to assert that it should never be embedded insecurely.

Firefox has an implementation of this mechanism behind a flag.


#2

As both repos are fairly mature, were discussed for a while and have partial implementations, moving to WICG seems appropriate.


#3

Do you have links for the titles you’ve written in [ALL CAPS SQUARE BRACES]? You need to add an empty pair of square braces at the end of a link title to linkify it using the link text as the reference in Markdown, eg [SOHO-PHARMING][]).


#4

This is just copy/pasted from https://wicg.github.io/cors-rfc1918/#intro. The links there are actual links. :slight_smile: