Setting dictionaries for hosts of the format X.Y.domain.com
18 views
Skip to first unread message
Yoav
May 12, 2011, 10:49:00 AM5/12/11
to SDCH
Hi,
It seems that when I'm trying to set a dictionary on a host of the
format X.Y.domain.com, I get an error of
DICTIONARY_REFERER_URL_HAS_DOT_IN_PREFIX and I'm failing the
Dictionary::CanSet security check function.
From the function's code comments:
A dictionary is invalid and must not be stored if any of the
following are
true:
....
4. The referer URL host is a host domain name (not IP address) and
has the
form HD, where D is the value of the Domain attribute, and H is
a string
that contains one or more dots.
Why can't SDCH dictionaries be applied to such hosts?
Thanks,
Yoav
It seems that when I'm trying to set a dictionary on a host of the
format X.Y.domain.com, I get an error of
DICTIONARY_REFERER_URL_HAS_DOT_IN_PREFIX and I'm failing the
Dictionary::CanSet security check function.
From the function's code comments:
A dictionary is invalid and must not be stored if any of the
following are
true:
....
4. The referer URL host is a host domain name (not IP address) and
has the
form HD, where D is the value of the Domain attribute, and H is
a string
that contains one or more dots.
Why can't SDCH dictionaries be applied to such hosts?
Thanks,
Yoav
Jim R
May 19, 2011, 2:40:59 PM5/19/11
to SDCH
I assuming you're not asking why Chrome doesn't do this ('cause the
proposed spec said it?), but rather why the spec does indeed require
this.
I vaguely recall that the restriction was suggested analogously to
handling of cookies, and is based on:
http://www.ietf.org/rfc/rfc2965.txt
which has pretty exactly the restrictive wording seen above. Search
the RFC for "contains one or more dots."
If these restrictions were not in place, one example of a Reduction Of
Service attack would be for a malicious party to claim (somehow) that
YourFavoriteSite.com has a few hundred dictionaries :-/. If these
were established in clients, then each HTTP request would have to list
all their hashes :-(. That in turn would potentially slow requests,
and require increased bandwidth when communicating with
YourFavoriteSite. I think this same issue is part of the reason to
restrict cookies.
YMMV... but that is some reasoning that comes to mind.
Jim
proposed spec said it?), but rather why the spec does indeed require
this.
I vaguely recall that the restriction was suggested analogously to
handling of cookies, and is based on:
http://www.ietf.org/rfc/rfc2965.txt
which has pretty exactly the restrictive wording seen above. Search
the RFC for "contains one or more dots."
If these restrictions were not in place, one example of a Reduction Of
Service attack would be for a malicious party to claim (somehow) that
YourFavoriteSite.com has a few hundred dictionaries :-/. If these
were established in clients, then each HTTP request would have to list
all their hashes :-(. That in turn would potentially slow requests,
and require increased bandwidth when communicating with
YourFavoriteSite. I think this same issue is part of the reason to
restrict cookies.
YMMV... but that is some reasoning that comes to mind.
Jim
Yoav Weiss
May 20, 2011, 5:34:34 AM5/20/11
to sd...@googlegroups.com
Thanks Jim!
I've mistakenly read "domain" in the source code as the primary domain for the host (rather then the domain on which we're trying to assign the dictionary). Therefore, this restriction was not clear.
Now it makes perfect sense. Every host can set dictionaries to a domain that is at most one level "up", but not more then that.
Yoav
--
You received this message because you are subscribed to the Google Groups "SDCH" group.
To post to this group, send email to SD...@googlegroups.com.
To unsubscribe from this group, send email to SDCH+uns...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/SDCH?hl=en.
Reply all
Reply to author
Forward
0 new messages