[Freeipa-devel] webUI code restructuring [wall of text, diagrams, ... you've been warned!]

Adam Young ayoung at redhat.com
Wed Sep 8 19:21:06 UTC 2010 

On 09/08/2010 02:47 PM, Simo Sorce wrote:
> On Tue, 07 Sep 2010 14:45:49 +0200
> Pavel Zuna<pzuna at redhat.com>  wrote:
>
>    
>> Enough text. Waiting for comments. :)
>>      
> I have one question.
> Have you made any consideration wrt security ?
>
> For example you say that you can push a complete state in a URL so that
> you can bookmark it.
> How does this cope with authentication ?
> Is there any way to validate the state is legit server side, or does it
> mean we make it an easy target for XSS exploits ?
> Last thing I want to see is an admin clicking a link and finding out
> that link actually granted some permission to the malicious user that
> sent him an carefully crafted email ...
>
> Simo.
>
>    


Simo,

Two different concepts here, the state in the URL, and the security model.

The state is completely a client side concept, it manages the values 
used to repopulate the webui.  The existing security model prevents 
calls against the server if you don't have a Kerberos key set.  We are 
providing no more access than is already availble to the server.  
Kerberos is our friend here, as it obviates what seem to be the most 
common JSON attacks.

Bascially, the state only tells the web ui what to execute.  It 
hasthings like :current tab is user, currrent facet is search, search 
criteria was 'Ada'.   No code, it is not interprested as code.

The security model is a different beast.  We are doing nothing with the 
web server that you canot do already using the https/xml APIs.  So if 
there is aproblem, it is out there today.  I make no judgements on that, 
as I am not a security expert.

An early problem with JSON was that it was basically just a block of 
code processed with an 'eval' statmet.  THe browser now handles the 
parsing for us, with the exception of older browsers, where we use a 
code library.  In either case, we avoid the eval issues.

Also, since we own both the client and server side of the equasion, we 
don't have to worry about a maliciosu third party injecting code  into 
our stream.  The tunnel between client and server is encrypted, and we 
only send JSON requests back to the server of origin.  In fact, as far 
as I know, the same origin policy is still in effect, and  
(Fedora/RHEL/Mozilla) does nothing to circumvent it.

More information about the Freeipa-devel mailing list