Capability URLs

Summary of the Issues

Jeni Tennison · @JeniT

Security in Web Apps

Two methods:

  1. user accounts & permissions tied to them
  2. obscure URLs no one can guess

Capability URLs

know the URL?

then you can access the content

or even do other things...


Password Resets

links sent by email

Your Dropbox password recently expired. You can reset it here.

Second Life

Registration API

Reg API capabilities represent permissions to perform certain actions.

Keep your capability URLs secret! The capabilities granted to you are only meant for you. A capability URL is sensitive much like a password. Moreover, Linden Lab tracks the use of each capability.

Other Examples

  • Google Hangouts
  • Github Gists
  • Doodle polls
  • ...


No Login Required

  • users who can't remember login
  • users who don't want to create account
  • developers who don't want to support accounts

Easy Onward Sharing

  • invite just one person in organisation
  • trust they will pass on URL to the rest
  • reduced administration

Easy Client API

  1. perform authentication
  2. request list of capability URLs
  3. use those URLs without authentication


Risk of Exposure

URLs aren't designed to be secret

  • shown in URL bar
  • appear in proxy logs

Compromise is Hard to Handle

revoke compromised URL


revoke compromised user's access

Web Architecture

Good practice: Avoiding URI aliases
A URI owner SHOULD NOT associate arbitrarily different URIs with the same resource.

restricted access → public access

capability URL → normal URL

Beyond the Single Page

require capability URLs for onward links?


Application Design

  • when to use capability URLs
  • alternatives to capability URLs
  • how to expire capability URLs

Canonical URLs

scenario: multiple URLs giving
different access to single document

  • how to relate capability URLs to canonical URL
    • redirections based on Referer header
    • embedded metadata in pages
  • how to transition to canonical URL once public

Capability URL Design

  • ensuring uniqueness
  • avoiding guessability
  • providing human readability

UI Design Considerations

should there be ways to hide URLs?

  • location bar
  • status bar
  • view source

Proposed Work

short best practices Recommendation

  • aimed at web developers
  • covering recommendations just outlined

Further Reading