From 6435af2e482f29ab35023014e88c08452bff9d7c Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Fri, 5 Feb 2021 13:07:18 +0100 Subject: [PATCH 1/6] Add security consideration about information exposure --- protocol.html | 2 ++ 1 file changed, 2 insertions(+) diff --git a/protocol.html b/protocol.html index a05e1d73..e4fe5a58 100644 --- a/protocol.html +++ b/protocol.html @@ -895,6 +895,8 @@

Security Considerations

Solid data pods disable all cross-origin protections in browsers because resource access is governed explicitly by Web Access Control. As such, data pods MUST NOT rely on browser-based cross-origin protection mechanisms for determining the authentication status or representation of a resource. In particular, they MUST ignore HTTP cookies from untrusted origins. Additional security measures MAY be taken to prevent metadata in error responses from leaking. For instance, a malicious app could probe multiple servers to check whether the response status code is 401 or 403, or could try to access an error page from an intranet server within the user agent’s private network to extract company names or other data. To mitigate this, when a request from an untrusted Origin arrives, the data pod MAY set the status code of error responses to 404 and/or anonymize or censor their contents.

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

+ +

When a server responds to an authorized HTTP GET request, the response MUST NOT expose information about resources that the agent is unauthorized to read. For example, when a GET method request targets a container, the server MUST NOT include information besides containment statements about the contained resources in the response eg. last modification, size, type or label.

From e79079893d1be2948722924e79857e3b3c04d4c1 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Fri, 5 Feb 2021 14:33:19 +0100 Subject: [PATCH 2/6] Update protocol.html Co-authored-by: Justin Bingham --- protocol.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol.html b/protocol.html index e4fe5a58..2662fc65 100644 --- a/protocol.html +++ b/protocol.html @@ -896,7 +896,7 @@

Security Considerations

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

-

When a server responds to an authorized HTTP GET request, the response MUST NOT expose information about resources that the agent is unauthorized to read. For example, when a GET method request targets a container, the server MUST NOT include information besides containment statements about the contained resources in the response eg. last modification, size, type or label.

+

When a server responds to an authorized HTTP GET request, the response MUST NOT expose information about resources that the agent is unauthorized to read. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type or label are examples of what is not allowed in that scenario.

From c5718f2b5611edf4c0144d009adaa9c97c1cfbf8 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Fri, 5 Feb 2021 16:48:23 +0100 Subject: [PATCH 3/6] Paraphrase unauthorized exposure (by @d-a-v-i-- ) --- protocol.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol.html b/protocol.html index 2662fc65..6c0d8ec0 100644 --- a/protocol.html +++ b/protocol.html @@ -896,7 +896,7 @@

Security Considerations

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

-

When a server responds to an authorized HTTP GET request, the response MUST NOT expose information about resources that the agent is unauthorized to read. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type or label are examples of what is not allowed in that scenario.

+

When a server responds to an authorized HTTP GET request, the response MUST NOT expose unauthorized information about resources to the agent. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed in proper authorization.

From 391bbd828f253f058b30e58dc161636d058cb691 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Fri, 5 Feb 2021 16:49:23 +0100 Subject: [PATCH 4/6] Minor --- protocol.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol.html b/protocol.html index 6c0d8ec0..ab7dc642 100644 --- a/protocol.html +++ b/protocol.html @@ -896,7 +896,7 @@

Security Considerations

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

-

When a server responds to an authorized HTTP GET request, the response MUST NOT expose unauthorized information about resources to the agent. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed in proper authorization.

+

When a server responds to an authorized HTTP GET request, the response MUST NOT expose unauthorized information about resources to the agent. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed without proper authorization.

From 7ec822891cee4f56afa74475d094142cab24fa29 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Sun, 7 Feb 2021 18:44:07 +0100 Subject: [PATCH 5/6] Do not expose information than what's necessary --- protocol.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol.html b/protocol.html index ab7dc642..81521d54 100644 --- a/protocol.html +++ b/protocol.html @@ -896,7 +896,7 @@

Security Considerations

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

-

When a server responds to an authorized HTTP GET request, the response MUST NOT expose unauthorized information about resources to the agent. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed without proper authorization.

+

Servers MUST NOT expose information more than the minimum amount necessary to power a feature. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed without proper authorization.

From e0376797b78e5e5361f6dcf4a814e1dcf4603ed9 Mon Sep 17 00:00:00 2001 From: Sarven Capadisli Date: Tue, 9 Feb 2021 20:17:28 +0100 Subject: [PATCH 6/6] Update protocol.html Co-authored-by: Ted Thibodeau Jr --- protocol.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protocol.html b/protocol.html index 81521d54..7c2bf279 100644 --- a/protocol.html +++ b/protocol.html @@ -896,7 +896,7 @@

Security Considerations

Data pods SHOULD use TLS connections to protect the contents of requests and responses from eavesdropping and modification by third parties. Unsecured TCP connections without TLS MAY be used in testing environments or when the data pod is behind a reverse proxy that terminates a secure connection.

-

Servers MUST NOT expose information more than the minimum amount necessary to power a feature. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Last modification time, size, type, creator or label are examples of what is not allowed without proper authorization.

+

Servers MUST NOT expose information beyond the minimum amount necessary to enable a feature. For example, when a GET method request targets a container, the server MUST NOT include information beyond containment statements about the contained resources in the response. Examples of what is not allowed without proper authorization include size, type, creator, label, and last modification time.