W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2006

Re: Extension methods & XMLHttpRequest

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 11 Jun 2006 19:09:32 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <brho821rfu3ihj6h83n9ffq377gh37cncg@hive.bjoern.hoehrmann.de>

* Mark Nottingham wrote:
>Also, AFAICT, all of the purported security problems (which are  
>*still* hazy) occur with cross-domain XHR, when the spec at hand only  
>specifies single-domain XHR.

If you have a single host with a single entity responsible for all
script logic and the server setup is is indeed relatively safe to
assume this entity would not write script logic that poses risks
for the host or its users.

However, it is not safe to assume that this is always the case. As
an example, script injection vulnerabilities are rather common. It
is also common to attempt to work around such vulnerabilities, for
example "HttpOnly Cookies" are supposed to prevent cookie stealing
even if there is a script injection vulnerability.

And they do that, until you inject a script that does a TRACE. The
same goes for HTTP authentication credentials, they are not available
to scripts, so even with a script injection vulnerability you don't
have access to them, until you do a TRACE.

Also note that having a script injection vulnerability does not
necessarily mean the entity responsible for the web service made
any obvious mistake; browser vendors keep adding new features that
make previously safe codes unsafe and service providers have a
hard time to keep up with new threats.

You'll have to look at this from the user perspective. A browser
that does not allow (for example) TRACE requests is less risky to
use than one that does allow it. The question for browser vendors
is then "Do we want to make a product that's more risky to use
than competing products?"
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 11 June 2006 17:09:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:39 UTC