security policy label (negotiation)

its interesting to see how, from the days when we realized that “CORS” in the world of cisco phone/PBC protocol negotiations were nothing more than a security label negotiation, the “CORS” now seen in the web world IS THE SAME THING.

Its just being presented, first off, as IBAC (even though its true intent is RBAC, where R is as in Rule BAC, where rule means security policy label). its just fascinating to see the way that the US/UK are militarizing the web WITH THE EXPLICIT UNDERSTANDING of the likes of microsoft etc. Presumably the want the military dollars.

But, at least now I have a client project – a web project fashioning a javascript UA running in a browser – talking to a server project – a webAPI project with a webAPI controller augmented with CORS sub-negotiation at layer 6.

Just interesting to see the concept of CORS, in which one requires the browser (or equivalent in the app world) to reject the inbound response. Also fun to see how trivially easy it would be to impose a security policy label ordering world:


So just to test this out, we amend the project a little  – to make it a bit more like a military security labeling world:


using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Net.Http; using System.Web.Http; namespace WebApplication3.Controllers { using System.Net.Http; using System.Threading.Tasks; using System.Web.Cors; using System.Web.Http; using System.Web.Http.Cors; namespace WebService.Controllers { [MyCorsPolicy(PetersMilitaryCorsPolicy.MyLevels.Level1, PetersMilitaryCorsPolicy.MyCaveats.Caveat1)] public class TestController : ApiController { public HttpResponseMessage Get() { return new HttpResponseMessage() { Content = new StringContent("GET: Test message") }; } public HttpResponseMessage Post() { return new HttpResponseMessage() { Content = new StringContent("POST: Test message") }; } public HttpResponseMessage Put() { return new HttpResponseMessage() { Content = new StringContent("PUT: Test message") }; } } } [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false) ] public class MyCorsPolicyAttribute : Attribute, ICorsPolicyProvider { private PetersMilitaryCorsPolicy _policy; public MyCorsPolicyAttribute(PetersMilitaryCorsPolicy.MyLevels level, PetersMilitaryCorsPolicy.MyCaveats caveat) { // Create a CORS policy. _policy = new PetersMilitaryCorsPolicy(level, caveat) { AllowAnyMethod = true, AllowAnyHeader = true, }; // Add allowed origins. _policy.Origins.Add(""); } public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request,System.Threading.CancellationToken token) { return Task.FromResult(_policy as CorsPolicy); } } public class PetersMilitaryCorsPolicy: CorsPolicy { public enum MyLevels { Level1=1, Level2=2 } public enum MyCaveats { Caveat1 = 100, // "room opnly", Caveat2 = 200 // "house only" } public class MyLabel { public MyLevels level { get; set; } public MyCaveats caveat { get; set; } } public MyLabel PolicyLabel { get; set; } public PetersMilitaryCorsPolicy(MyLevels level, MyCaveats caveat) { PolicyLabel = new MyLabel(); PolicyLabel.caveat = caveat; PolicyLabel.level = level; } } }


About home_pw

Computer Programmer who often does network administration with focus on security servers. Sometimes plays at slot machine programming.
This entry was posted in owin. Bookmark the permalink.