W3C home > Mailing lists > Public > public-webapi@w3.org > April 2008

Re: What is Microsoft's intent with XDR vis--vis W3C? [Was: Re: IE Team's Proposal for Cross Site Requests]

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 2 Apr 2008 17:48:57 -0700
Cc: Jonas Sicking <jonas@sicking.cc>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Sunava Dutta <sunavad@windows.microsoft.com>, Ian Hickson <ian@hixie.ch>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, David Ross <dross@windows.microsoft.com>, Nikhil Kothari <nikhilko@microsoft.com>
Message-Id: <03302BFA-177C-4F64-A5D3-3332C274C16E@apple.com>
To: "Close, Tyler J." <tyler.close@hp.com>


On Apr 2, 2008, at 4:52 PM, Close, Tyler J. wrote:

>
> Sending the user's cookies, as AC4CSR does, is just not a viable  
> design, since the target resource cannot determine whether or not  
> the user consented to the request. I've posted several explanations  
> of the attacks enabled by this use of ambient authority, and, in my  
> opinion, the issues are still outstanding. The use of ambient  
> authority in AC4CSR is a show-stopper, as reflected in the decision  
> Mozilla announced on this mailing list.

Can you please post these examples again, or pointers to where you  
posted them? I believe they have not been previously seen on the Web  
API list. A number of people have mentioned that the AC approach to  
cross-site XHR is insecure (or that XDR is somehow more secure), but I  
have not yet seen any examples of specific attacks. I would love to  
see this information. If I do not see a description of a specific  
attack soon I will assume these claims are just FUD.

Note also that sending of cookies is not an essential feature of  
AC4CSR; certainly it could be a viable spec with that feature removed.  
Do you believe there are any other showstopper issues?

Regards,
Maciej
Received on Thursday, 3 April 2008 00:49:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 3 April 2008 00:49:41 GMT