W3C home > Mailing lists > Public > public-web-security@w3.org > January 2010

[XHR] XMLHttpRequest specification lacks security considerations

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 19 Jan 2010 08:01:12 +0100
Message-Id: <E4DE70C1-0FAD-49B2-93DF-79DAD3BB61D8@w3.org>
Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
To: W3C WebApps WG <public-webapps@w3.org>
With apologies for the belated Last Call comment -- the XMLHttpRequest specification
  http://www.w3.org/TR/XMLHttpRequest/

... doesn't have meaningful security considerations.


Section 3 should at the very least spell out:

- Somewhat detailed considerations around CONNECT, TRACE, and TRACK (flagged in the text of the specification, but not called out in the security section; 4.6.1).
- Considerations around DNS rebinding.
- Some explanation for the "security reasons" that are mentioned in section 4.6.2 (setRequestHeader).
- The rationale for the handling of HTTP redirects in section 4.6.4.
- The fact that this specification normatively defines the same-origin policy as it applies to network access within browsers (section 4.6.1; though that mostly refers to HTML5 these days)



Related to this, what is the rationale for making the following (explicitly security-relevant) conformance clauses SHOULD, not MUST?

** 4.6.1

If method is a case-sensitive match for CONNECT, TRACE, or TRACK the user agent should raise a SECURITY_ERR exception and terminate these steps.

If the origin of url is not same origin with the XMLHttpRequest origin the user agent should raise a SECURITY_ERR exception and terminate these steps.

** 4.6.2

For security reasons, these steps should be terminated if header is an ASCII case-insensitive match for one of the following headers:
...


--
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 19 January 2010 07:01:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:02 GMT