Summary of the Issues
Jeni Tennison · @JeniT
Security in Web Apps
- user accounts & permissions tied to them
- obscure URLs no one can guess
know the URL?
then you can access the content
or even do other things...
links sent by email
Your Dropbox password recently expired. You can reset it here.
Reg API capabilities represent permissions to perform certain actions.
Keep your capability URLs secret! The capabilities granted to you are only meant for you. A capability URL is sensitive much like a password. Moreover, Linden Lab tracks the use of each capability.
- Google Hangouts
- Github Gists
- Doodle polls
No Login Required
- users who can't remember login
- users who don't want to create account
- developers who don't want to support accounts
Easy Onward Sharing
- invite just one person in organisation
- trust they will pass on URL to the rest
- reduced administration
Easy Client API
- perform authentication
- request list of capability URLs
- use those URLs without authentication
Risk of Exposure
URLs aren't designed to be secret
- shown in URL bar
- appear in proxy logs
Compromise is Hard to Handle
revoke compromised URL
revoke compromised user's access
Good practice: Avoiding URI aliases
A URI owner SHOULD NOT associate arbitrarily different URIs with the same resource.
restricted access → public access
capability URL → normal URL
Beyond the Single Page
require capability URLs for onward links?
- when to use capability URLs
- alternatives to capability URLs
- how to expire capability URLs
scenario: multiple URLs giving
different access to single document
how to relate capability URLs to canonical URL
- redirections based on
- embedded metadata in pages
how to transition to canonical URL once public
Capability URL Design
- ensuring uniqueness
- avoiding guessability
- providing human readability
UI Design Considerations
should there be ways to hide URLs?
- location bar
- status bar
- view source
short best practices Recommendation
- aimed at web developers
- covering recommendations just outlined