W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 14 Mar 2008 11:24:15 -0700
Message-ID: <47DAC2CF.9090808@sicking.cc>
To: Chris Wilson <Chris.Wilson@microsoft.com>
CC: "Web API WG (public)" <public-webapi@w3.org>, Eric Lawrence <ericlaw@exchange.microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>

Can you describe what you mean by "persistent allow" design?

/ Jonas

Chris Wilson wrote:
> Oops.  Obviously, this was not to go to the whole group.
> 
>  
> 
> I’ve been asked a lot, over the last week and a half, why we implemented 
> XDR rather than the current cross-domain XHR proposals.  The short 
> version is, as Sunava discusses in the summary of this mail, that 
> x-domain XHR (and Flash’s approach, et al) is subject to specific 
> x-domain injection attacks because of its persistent-allow design.
> 
>  
> 
> *From:* Chris Wilson
> *Sent:* Friday, March 14, 2008 11:00 AM
> *To:* Sunava Dutta; Web API WG (public)
> *Cc:* Eric Lawrence; Zhenbin Xu; Gideon Cohn; Sharath Udupa; Doug 
> Stamper; Marc Silbey
> *Subject:* RE: IE Team's Proposal for Cross Site Requests
> 
>  
> 
> I’d move half the summary section up front to make it clear why we’re 
> not wild about x-domain XHR.  You need to lead with that.
> 
>  
> 
> *From:* Sunava Dutta
> *Sent:* Thursday, March 13, 2008 8:47 PM
> *To:* Sunava Dutta; Web API WG (public)
> *Cc:* Eric Lawrence; Chris Wilson; Zhenbin Xu; Gideon Cohn; Sharath 
> Udupa; Doug Stamper; Marc Silbey
> *Subject:* IE Team's Proposal for Cross Site Requests
> 
>  
> 
> Purpose
> 
> XDR helps web developers to create secure mashups, replacing less secure 
> or non-performant approaches, including SCRIPT SRC’ing content or IFRAME 
> injection.
> 
>  
> 
> Microsoft would like to submit XDR to the W3C for standardization so 
> that other browsers can benefit from this technology.
> 
>  
> 
>  
> 
> XDomainRequest (XDR)
> 
> 
>     Table of Contents
> 
> 1.0   Summary
> 
> 2.0   Background: /Overview of how XDR allows cross site requests/
> 
> 3.0   API Documentation: /Lists the programming 
> interface/methods/properties/
> 
> 4.0   Security Model Flowchart: /Highlights the security checks that IE8 
> makes for an XDR Request./
> 
> 5.0   Sample Site and Script: /For developers wishing to create an XDR 
> page./
> 
> 6.0   Developer Benefits of using XDR: /Covers XDR’s strengths by 
> demonstrating XDR’s goals of security and simplicity./
> 
> 7.0   Developer Release Notes: /A short bulleted list of issues 
> developers should we aware of when using the object and a summary of 
> what XDR cannot do./
> 
> 1.0 Summary
> 
> /With* Cross Domain Request* *(XDR)* developers can create cross site 
> data aggregation scenarios. Similar to the XMLHttpRequest object  but 
> with a simpler programming model, this request, called XDomainRequest, 
> is an easy way to make anonymous requests to third party sites that 
> support XDR and opt in to making their data available across domains. 
> Three lines of code will have you making basic cross site requests. This 
> will ensure data aggregation for public sites such as blogs etc will be 
> simple, secure and fast. XDR is an approach designed from the grounds up 
> with a focus on security. We understand the current cross domain 
> XMLHTTPRequest proposal and recognize its ability to provide a broader 
> set of services particularly around declarative auditing for access 
> control based scenarios and authenticated connections. It does however 
> come at the risk of more complexity and surface area of attack. While 
> these are certainly compelling scenarios we realize that existing 
> implementations have bugs (linked 1 
> <http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html>, 
> 2 <https://bugzilla.mozilla.org/show_bug.cgi?id=389508>), some of which 
> are resolved from the past like TOUCTOU and others like DNS Rebinding 
> remain mostly unaddressed. In addition, maintaining configuration is 
> challenging post deployment as Flash has encountered 
> <http://blog.monstuff.com/archives/000302.html> (wildcarding) in the 
> past. The IE team is not comfortable implementing a feature with a high 
> surface area of attack and open/incoming security issues and proposes 
> XDR as a safer alternative.///
> 
>  
> 
> 2.0 Background
> 
>  
> 
>  
> 
> Browsers enforce the same site origin policy, which blocks web pages 
> from accessing data from another domain. Websites often work around this 
> policy by having their server request content from another site’s server 
> in the backend, thus circumventing the check within the browser.
> 
>  
> 
> 
>  
> 
> 	
> 
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 	Text Box: Figure 1 – IE7 and below need to make a request to the mashup 
> server which then needs to be proxied to the web server.
> 
> 
>  
> 
> In IE8 web pages can simply make a cross domain data request within the 
> browser using the new /XDomainRequest/ object instead of a 
> server-to-server requests.
> 
> Cross domain requests require mutual consent between the webpage and 
> server. You can initiate a cross domain request in your webpage by 
> creating a /xdomainrequest /object off the window object and opening a 
> connection to a particular domain. The browser will request data from 
> the domain’s server by sending a /XDomainRequest: 1 /header. It will 
> only complete the connection if the server responds with a 
> XDomainRequestAllowed header with the value “1” for true.
> 
>  
> 
> For example, a server’s asp page includes the following response header:
> 
> Response.AppendHeader("XDomainRequestAllowed","1");
> 
>  
> 
>  
> 
>  
> 
> *Security note: *Cross domain requests are anonymous to protect user 
> data, which means that servers cannot easily find out who is requesting 
> data. As a result, you only want to request and respond with cross 
> domain data that is not sensitive or personally identifiable.
> 
>  
> 
> 	
> 
> 
> 3.0 API Documentation
> 
>  
> 
> * *
> 
> *Methods*
> 
> Once you create a xdomainrequest object, you can use the /open()/ method 
> to open a connection with a domain’s server. This method supports the 
> GET and POST HTTP methods and takes the URL to connect to as a 
> parameter. Once you’ve opened a connection, you can use the /send()/ 
> method to send a data string to the server for processing if needed. For 
> example:
> 
>  
> 
> // 1. Create XDR object
> 
> xdr = new XDomainRequest();
> 
>  
> 
> //2. Open connection with server using POST method
> 
> xdr.open(“POST”, “http://www.contoso.com/xdr.txt”)
> 
>  
> 
> //3. Send string data to server
> 
> xdr.send(“data to be processed”)
> 
>  
> 
> XDR also has an /abort() /method to cancel an active request, which 
> takes no parameters. Data is not available on an abort.
> 
> * *
> 
> *Properties*
> 
> ·         *responseText - *After the server responds, you can retrieve 
> the data string through the read-only /responseText /property.
> 
> ·         *timeout - *You can use the /timeout /property to set or 
> retrieve the number of milliseconds the browser should wait for a server 
> to respond.   IE defaults to no timeout if this property is not 
> explicitly set. If the request times out, data is not available.
> 
> ·         *contentType *– If you are posting data to the server, use the 
> /contentType /property to define the content type string that will be 
> sent to the server. If you are using a GET then this property will allow 
> you to read the content type.
> 
>  
> 
> *Events*
> 
> XDR has the following events:
> 
> ·         *onerror* – this event fires when there is an error and the 
> request cannot be completed. For example, the network is not available
> 
> ·         *ontimeout *– this event fires when the request reaches its 
> timeout as defined by the above timeOut property. If the request times 
> out data is not available.
> 
> ·         *onprogress –* this event fires while the server responds to 
> the request by streaming data back to the browser.
> 
> ·         *onload *– this event fires when the cross domain request is 
> complete and data is available.
> 
>  
> 
> *Security note: *Cross domain requests can only be sent and received 
> from a web page to URLs in the following IE zones. We discourage 
> Intranet sites from making XDR data available to help prevent intranet 
> data from leaking to malicious Internet sites.
> 
>  
> 
>  
> 
> 	
> 
>  
> 
> 	
> 
> *Webpage equests data from a URL in the following zone:*
> 
>  
> 
> 	
> 
>  
> 
> 	
> 
> Local
> 
> 	
> 
> Intranet
> 
> 	
> 
> Trusted (Intranet)
> 
> 	
> 
> Trusted (Internet)
> 
> 	
> 
> Internet
> 
> 	
> 
> Restricted
> 
> *Webpage is in the following zone:*
> 
> 	
> 
> Local
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Block
> 
> Intranet
> 
> 	
> 
> Block
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Block
> 
> Trusted (Intranet)
> 
> 	
> 
> Block
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Block
> 
> Trusted (Internet)
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Block
> 
> Internet
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Allow
> 
> 	
> 
> Allow
> 
> 	
> 
> Block
> 
> Restricted
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> 	
> 
> Block
> 
> * *
> 
> *Security note: *When using these XDR, safely handling data provided by 
> another web application is a critical operation.
> 
>  
> 
> For instance, the response could be parsed directly by Javascript, or it 
> could be evaluated with a freely available JSON parser (see 
> http://www.json.org/) or it could be inserted into a DOM as static text 
> (using .innerText).
> 
> * *
> 
> * *
> 
> * *
> 
> *Server Side*
> 
> The browser will request data from the domain’s server by sending a 
> /XDomainRequest: 1 /header. It will only complete the connection if the 
> server responds with an XDomainRequestAllowed header with the value “1” 
> for true.
> 
> For example, a server’s asp page includes the following response header:
> 
> *Response.AppendHeader("XDomainRequestAllowed","1");*
> 
> This can be done in IIS, for example, using an ASP.NET page. The line of 
> code below can be embedded in your ASP page to return the header.
> 
>  
> 
> *<<% Response.AddHeader  "XDomainRequestAllowed","1" %>Data*
> 
> * *
> 
> * *
> 
> 4.0 Security Model Flowchart
> 
> XDR Flowchart
> 
> 5.0 Sample Site and Script
> 
>  
> 
> Please refer to the AJAX Hands on Labs 
> <http://code.msdn.microsoft.com/iemix08labs/Release/ProjectReleases.aspx?ReleaseId=590> 
> on MSDN for demo script. This will need to be set up on your machine 
> from the resource files.
> 
>  
> 
> 6.0 Other Developer Benefits of Using XDR
> 
> 1.        Simple development model.
> 
> a.        On the server, the server operator must simply add one new 
> header to his HTTP response indicating that cross-domain sources may 
> receive the data.  HTTP Headers can be added by any CGI-style process 
> (PHP/ASPNET/etc) or by the web server software (Apache/IIS/etc) itself.
> 
> b.        On the client, the XDR object is all about 
> cross-domain-requests.  Because XDR is a new object we are not forced to 
> “bolt on” cross-domain security.  For example, XDR has no means of 
> adding a custom header, because custom headers are dangerous for 
> cross-domain security as the current web model does not expect a custom 
> header being sent across domains. We’ve encountered experiences when web 
> applications in the past if encountering a custom header using XHR 
> assume it’s coming from the same site.
> 
>  
> 
> 2.        Provably secure
> 
> a.        The XDR security model is simple.  The client sends a request 
> that clearly identifies its cross-domain nature, and the server must 
> respond in kind for the Same-Origin-Policy to be relaxed such that the 
> client can read the response.  If the server does not set the response 
> header (a “non-participating” server), the client script is not 
> permitted to read the response or determine anything about the target 
> server.
> 
>  
> 
> b.        XDR is very tightly scoped to minimize the risk of increasing 
> security exposure of the browser.
> 
> 1.        Specifically, any request sent by XDR could also be emitted by 
> a properly coded HTML FORM object.  Hence, any “non-participating” web 
> server put at risk by XDR is also at risk from simple HTML.
> 
>  
> 
> Note: The only additional exposure XDR adds is the ability of the client 
> to set a specific Content-Type header.
> 
>  
> 
> 2.        As XDR strips all credentials and cookies, it prevents even 
> less attack surface for use in a Cross-Site-Request-Forgery (CSRF) 
> <http://en.wikipedia.org/wiki/Cross-site_request_forgery> attack than a 
> HTML Form.
> 
>  
> 
> c.        XDR attempts to block cross-zone/protocol requests, an ASR 
> which exceeds that undertaken elsewhere in the browser (e.g. SCRIPT SRC) 
> due to compatibility concerns.
> 
>  
> 
> 3.        Improved Access  Control “Locality”
> 
> a.        Unlike policy file-based security, the XDR handshake is a part 
> of the HTTP request and response.  This means that XDR is not at risk 
> from DNS-Rebinding <http://en.wikipedia.org/wiki/DNS_rebinding> or 
> Time-of-Check-Time-of-Use 
> <http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use> attacks.
> 
> b.        Policy files must be located in a particular location on the 
> server, which may cause operational problems for users with limited 
> permissions on the server.  For example, consider the shared hosting 
> case, where only one admin may write to the server root, but many users 
> have permissions to write to sub-folders.  The users must petition the 
> admin for an update to the policy file.
> 
>  
> 
> 4.        Access-Control Flexibility
> 
> a.        As Access-Control is based on a per-response basis, the server 
> may choose to allow or deny access based upon any criteria desired.  For 
> instance, Referer of client, time of day, number of requests per hour, 
> etc, etc.
> 
> b.        The XDR security model prevents attackers from easily 
> determining the access control rules of the server.  The server may keep 
> their rules as a trade secret.
> 
>  
> 
> 7.0 Developer Release Notes
> 
> ·         Not yet available across browsers; not a W3C standard.
> 
> ·         Services must be explicitly coded to operate with XDR. 
> 
> ·         As HTTP Methods are deliberately limited, standard REST-based 
> interop is not possible.
> 
> ·         As credentials are not provided by the browser, the client 
> must transmit them in the request body.  This typically should not be a 
> problem but this could prevent use of the HttpOnly attribute on cookies 
> that must be sent for credentials.
> 
> ·         The XDR handshake is HTTP-specific and cannot be directly 
> translated for reuse in other protocols or situations (E.g. raw socket 
> access). 
> 
>  
> 
>  
> 
>  
> 
> -- 
> *Sunava D*utta
> Program Manager (AJAX) - Developer Experience Team, Internet Explorer
> 
> One Microsoft Way, Redmond WA 98052
> TEL# (425) 705-1418
> 
> FAX# (425) 936-7329
> 
>  
> 
Received on Friday, 14 March 2008 18:25:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 March 2008 18:25:38 GMT