Capability URLs: We Need Your Feedback by Daniel Appelquist.
From the post:
The battle for web security and privacy is fought at many levels. Sometimes common practice in web application design can lead to data leakage with untended consequences for users. A good example of this came up recently where confidential files shared through common web-based document sharing services were being exposed unintentionaly to third parties because the private URLs used to share them had been unintentionally leaked.
…
URLs that allow a user to access an otherwise privileged resource or information are called Capability URLs, and while they can be powerful, they can also cause potential problems when used improperly.
TAG member Jeni Tennison has been working on a draft defining the space of capability URLs and outlining some good practices for usage. We think this document should be useful for web builders who are thinking about incorporating this pattern into their applications. We think it’s pretty good, but we need your feedback before we finalize it and release it as a TAG finding.
The draft may be found here: http://www.w3.org/TR/capability-urls/ and if you have feedback you are encouraged to raise an issue on github or e-mail us on the TAG public mailing list. Thanks!
The most common example that Jeni mentions is a password reset URL, which allows anyone using that URL to reset a user’s password.
Interesting document and one that merits your review and any comments you may have.
It would not work in an ordinary browser but I wonder about generation of a “capacity URL” via a Challenge-response authentication?
Using the password example, assume that I have selected “Lost my password,” and the server returns a URL that ends with a challenge token that requires some calculation on my part. That is I get a “capacity URL” but the “capacity URL” that I must return is different.
Should be as secure are your challenge-response authentication. Yes?
That may be an edge case but if we are outside of browser land, I could see that being built into an application.
Suggestions?