W3C home > Mailing lists > Public > public-web-security@w3.org > February 2010

Re: [XHR] XMLHttpRequest specification lacks security considerations

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 08 Feb 2010 18:14:20 +0100
To: "Julian Reschke" <julian.reschke@gmx.de>
Cc: "Thomas Roessler" <tlr@w3.org>, "W3C WebApps WG" <public-webapps@w3.org>, public-web-security@w3.org
Message-ID: <op.u7tjh6yr64w2qv@annevk-t60>
On Mon, 08 Feb 2010 18:01:18 +0100, Julian Reschke <julian.reschke@gmx.de>  
wrote:
> Is re-binding == spoofing? Does  
> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3> help,  
> or does nit need to be updated (Thomas; HTTPbis will gladly accept your  
> input ;-).

As far as I can tell DNS rebinding is possible because clients observe TTL  
and can be prevented by servers carefully checking the Host header. The  
solutions clients can employ have potential drawbacks:

   http://en.wikipedia.org/wiki/DNS_rebinding

I.e. it seems to be something different.


> HTML5 defines when two origins are the same, but it's remarkably silent  
> about the so-called "same-origin policy". The information may be there,  
> but it#s not obvious where it is.

I think you are right in that it does not actually explain what it is. You  
filed a bug on the matter so hopefully it gets resolved in due course.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 8 February 2010 17:14:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT