W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: XHR security risks

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 08 Jun 2006 15:54:53 +0200
Message-ID: <44882C2D.1030206@gmx.de>
To: Charles McCathieNevile <chaals@opera.com>
CC: Public Web API <public-webapi@w3.org>

Charles McCathieNevile schrieb:
> On Thu, 08 Jun 2006 22:56:51 +1000, Julian Reschke 
> <julian.reschke@gmx.de> wrote:
> 
>> I'd like to pick up the discussion I started several weeks ago (see 
>> <http://lists.w3.org/Archives/Public/public-webapi/2006Apr/0305.html> 
>> and copy below)...
>>
>> In the meantime I've discussed the issue with Roy F., and we also 
>> talked about it over on Mark Nottingham's blog (see 
>> <http://www.mnot.net/blog/2006/04/20/form.submit>). I'm still 
>> convinced that a user agent that allows an HTML page to submit an 
>> unsafe method (such as POST, DELETE or PUT) without explicit user 
>> interaction is buggy. This applies both to form.submit and XHR.
> 
> I don't see that it is buggy. However, there are obvious scenarios where 
> it exposes a user to a potential security risk. If I put some magic into 

Well, it exposes users to a potential security risk, and there's nothing 
the user can do about it except disabling scripting. I think that is a 
problem.

> a browser that allows any HTML page from EvilOverlords.example.com to 
> PUT or POST to any other page in example.com without explicit user 
> interaction, it may be antisocial behaviour. If I allow those pages to 
> PUT or POST to EvilOverlords.example.com from the user history I might 
> be antisocial or I might be implementing some new and nasty company 
> policy about checking everything employees do. But I don't see that it 
> is ipso facto a bug.
> 
> There is a convention that you don't use GET for things with side 
> effects, but there is nothing that enforces that convention. In an 

RFC2616 calls it a convention, but also says

'In particular, the convention has been established that the GET and 
HEAD methods SHOULD NOT have the significance of taking an action other 
than retrieval. These methods ought to be considered "safe".'

Note it goes on saying

'This allows user agents to represent other methods, such as POST, PUT 
and DELETE, in a special way, so that the user is made aware of the fact 
that a possibly unsafe action is being requested.

Naturally, it is not possible to ensure that the server does not 
generate side-effects as a result of performing a GET request; in fact, 
some dynamic resources consider that a feature. The important 
distinction here is that the user did not request the side-effects, so 
therefore cannot be held accountable for them.'

(Emphasis on the first sentence above)

(see <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.9.1.1>).


> untrusted environment, it is possible to use GET for all kinds of 
> badness too. (There are probably still people sending important 
> financial transaction over unsecured HTTP via GET somewhere). I don't 
> think the WebAPI specs are the place to try and enforce these kind of 
> security policies, although the issues are worth noting in security 
> sections for each spec.

If a server implements unsafe actions upon GET, that's a bug in the 
server. For instance, should a GET request to a certain URL cause a 
vendor to ship something to me (just because my user agent pre-caches 
content linked from the current page), it's the vendor's problem, not mine.

Best regards, Julian
Received on Thursday, 8 June 2006 13:55:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT