RE: IE Team's Proposal for Cross Site Requests from Chris Wilson on 2008-05-22 (public-appformats@w3.org from May 2008)

From: Chris Wilson <Chris.Wilson@microsoft.com>
Date: Thu, 22 May 2008 10:38:50 -0700
To: "arun@mozilla.com" <arun@mozilla.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <E35CF0CC5D011D49943F61E242AF48AD0876B838D9@NA-EXMSG-W601.wingroup.windeploy.ntd>

Stripping the parts Sunava already answered.
Arun Ranganathan wrote:
>*In particular* what is the direct parallel you are drawing between the
>Flash approach and the XHR2+AC approach? Sunava's commentary eagerly
>awaited. In this message
>
>http://lists.w3.org/Archives/Public/public-webapi/2008May/0196.html
>
>you suggest we look at "DNS Hardening" for "clues." Can you be a bit
>more specific here, if possible?

In both XHR2+AC and Flash's policy file approach, the "allow credentials" and the actual access to data occur in separate network transactions, and likely (but not guaranteed, of course) separate network connections.  This enables the vector of DNS attacks - the idea being that between those two connections, an attacker could insert themselves in to the stream.  (Actually, more likely it would be the other way around - an attacker would insert themselves into the stream, give back "it's okay to do x-domain", then release and let the real site give back data.

XDR, by contrast, performs the "access check" in effect on the same connection, since it's not a multi-part negotiation.

>All things being equal, it is likely that XDR and XHR2+AC will co-exist,
>and the major JS libraries can probably straddle the difference. Of
>course, I'd prefer it if we had a single API that addressed the more
>robust needs of web applications, including Cookies, etc. :)

I would too.  But I'd prefer to not be p0wned by security vulnerabilities even more than I'd like to address all needs in v1.

>But IE8 beta does support postMessage, just as other UAs do. And it
>would seem that postMessage will be used for cross-site requests because
>of the widespread support across UAs, modulo caller/callee understanding
>across sites (e.g. there's likely to be a propagation of iframe-based
>APIs which can be requested with Cookies, Auth, etc. and on which other
>sites will call .postMessage). This would have well-known limitations.

Yup.

>Coming to the table and commenting on proposals will create better
>solutions for developers.

Yes, I agree.  We need to do better.

-C

Received on Thursday, 22 May 2008 17:40:06 UTC