W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Mon, 17 Apr 2006 11:41:14 -0700
Message-Id: <6D551681-07ED-4BD4-A4D1-C3423046CEA1@yahoo-inc.com>
Cc: public-webapi@w3.org
To: Ian Hickson <ian@hixie.ch>

On 2006/04/14, at 2:10 PM, Ian Hickson wrote:
>>
>> BTW, would you consider these URIs to have different policies?
>>
>> http://www.example.com/search?a=b
>> http://www.example.com/search?c=d
>
> Yes. But if you're doing a POST, why not include the variables in the
> entity body?

I was just wondering if each would have a separate policy,  
independent of the method.

As to the variables, there's a difference between query args and body  
content (despite how must CGI tools treat it); the query args form a  
part of the identity of the resource, the body doesn't (but that's  
neither here nor there for the purposes of this discussion).

>>>> As stated before, I'm not sure the existence of one hole justifies
>>>> the intentional opening of other holes.
>>>
>>> It's not "one hole". Most of the Web works this way, always has.
>>
>> I was referring to the ability to do a POST; obviously GET is  
>> possible
>> through a variety of methods, but that's OK, because it's safe.
>
> In that case I'm confused; you can't do a POST with a <script>  
> element.
> Did you mean <form>?

Sorry, script + form for a non-user-initiated POST.

AIUI, the specific vulnerability is form.submit() being used cross- 
site; or are there other ways to do a automated POST?

>> It's true that it's possible to muck around with script tags and HTML
>> forms to send an arbitrary POST without interaction (the "one hole"),
>> but the existence of one accidental attack vector isn't justification
>> for intentionally creating (and standardising) another bigger one  
>> (not
>> just POST, but other methods as well).
>
> Sure, that's why I'm proposing that non-GET requests should have the
> pre-flight check.

OK; I wasn't sure if you were retracting that or not. It sounds like  
the question is just how to do the pre-flight check. I'm not  
necessarily against yours (it has some nice properties), but I'm not  
sure it's the best way forward.

Thanks,

--
Mark Nottingham
mnot@yahoo-inc.com
Received on Monday, 17 April 2006 18:42:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT