There's an important point under all of this.
On 23 Jan 2016, at 2:55 am, Phillip Hallam-Baker
<phill(_at_)hallambaker(_dot_)com> wrote:
Alice is the administrator of the system, she is running a Web Server
for the company on http://example.com/ with a redirect mapping from
http://www.example.com/*
Bob wants to setup an XXX service which is a Web Service with a HTTP
binding. Alice will let him run that service but does not want to
grant unrestricted access to the corporate Web service on port 80/443.
How do we support that?
It's exceedingly difficult. The Web has for some time set most meaningful
security boundaries at the origin level -- i.e., (scheme, host, port).
Allowing Bob access to <https://www.example.com/.well-known/bob> still gives
him a considerable amount of leeway to content and capability on other parts of
the origin, including:
* reading and writing cookies
* reading and writing LocalStorage
* setting ServiceWorkers to intercept requests and synthesise responses for the
whole host
* access to use and set permissions for capabilities like camera access,
microphone access, geolocation
* provide content -- including active content (e.g,. JavaScript) -- for
execution with escalated privilege
* ability to set origin policy such as CSP, HSTS, etc.
This is a small, incomplete sample. Alice can try to limit Bob's capabilities
by controlling the headers and content that he sets, but that's probably a
losing battle; it requires her to keep up with every development in the Web
platform, and code her containment perfectly.
The takeaway here is that .well-known is *not* a sandbox to put content into,
and treating it like that can have serious security implications.
Cheers,
--
Mark Nottingham https://www.mnot.net/