Re: ISSUE 19: Requirements and Usage Scenarios document from Jon Ferraiolo on 2008-01-16 (public-appformats@w3.org from January 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Tue, 15 Jan 2008 16:34:08 -0800
To: "Anne van Kesteren" <annevk@opera.com>
Cc: "David Orchard" <dorchard@bea.com>, "WAF WG (public)" <public-appformats@w3.org>, public-appformats-request@w3.org
Message-ID: <OF101BA2F8.7898B519-ON882573D2.00022C19-882573D2.00032041@us.ibm.com>

If we are still talking about <img>, <script>, etc, then I would argue that
the type of the request isn't identical because these are GET requests,
whereas the scenario I described is a POST request. So, if a server only
supports POST for data insert/update/delete operations (which is
recommended best practice, therefore a good number of sites will do this),
then <img> and <script> cannot do any harm. Also, with
Access-Control-powered XHR, meaningful data can be retrieved from the
other-domain server leveraging any cookies that apply to the other domain,
whereas with <img> the JavaScript will not receive any data and with
<script> data can only be received if it is formatted as JSON (or other
JavaScript). Therefore, there are indeed new opportunities for doing bad
things, including new CSRF opportunities, because the current draft says
the browser should send cookies.

             "Anne van                                                     
             Kesteren"                                                     
             <annevk@opera.com                                          To 
             >                         "David Orchard" <dorchard@bea.com>  
             Sent by:                                                   cc 
             public-appformats         "WAF WG (public)"                   
             -request@w3.org           <public-appformats@w3.org>          
                                                                   Subject 
                                       Re: ISSUE 19: Requirements and      
             01/15/2008 12:09          Usage Scenarios document            
             PM                                                            

On Tue, 15 Jan 2008 17:44:35 +0100, David Orchard <dorchard@bea.com> wrote:
> If Cookies would be sent as part of more requests because of deployment
> of the Access Control spec, then isn't this spec opening a new attack
> vector? I understand your point that cookies are already sent under
> img, script and form, but this is something newer and in addition to
> those.

I think I disagree. The (type of) request is identical. Especially since
it's about the request and not about the protocol that issues the request.

--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic13508.gif
image/gif attachment: ecblank.gif

Received on Wednesday, 16 January 2008 00:35:56 UTC