W3C home > Mailing lists > Public > public-appformats@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 18 Mar 2008 09:24:28 +0100
To: Sunava Dutta <sunavad@windows.microsoft.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>
Message-ID: <20080318082428.GV159@iCoaster.does-not-exist.org>

On 2008-03-17 19:52:18 -0700, Sunava Dutta wrote:

> The Access-Control spec notes that:

>       Authors are to ensure that GET requests on their
>       applications have no side effects. If by some means an
>       attacker finds out what applications a user is associated
>       with, it might "attack" these applications with GET
>       requests that can effect [sic] the user's data (if the user
>       is already authenticated with any of these applications by
>       means of cookies or HTTP authentication).

> I'm concerned that this note suggests that the spec fails to meet
> its own requirement #2:

>       Must not require content authors or site maintainers to
>       implement new or additional security protections to
>       preserve their existing level of security protection.

> ...As cookies and HTTP authentication are commonly used security
> protections yet they are sent by cross-origin requests.  CSRF is
> already a growing problem in the wild, and the Access-Control
> mechanism requires that web developers understand extremely
> subtle aspects of the security model to keep their sites secure.

I'm not sure how subtle the GET vs POST aspect really is -- after
all, Web developers who use GET with side effects without employing 
mitigating techniques will already expose themselves to:

- any clients or proxies that assume that GET is idempotent

- attackers' ability to place pretty arbitrary GET requests with
  HTTP authentication headers and cookies, cross-site

That's not new, and it's not made worse in any significant way by
the access-control spec.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 18 March 2008 08:25:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 March 2008 08:25:06 GMT