W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Kris Zyp <kris@sitepen.com>
Date: Sat, 15 Mar 2008 08:35:11 -0600
Message-ID: <00de01c886ad$ff0f34f0$0500a8c0@kris>
To: "Maciej Stachowiak" <mjs@apple.com>, "Sunava Dutta" <sunavad@windows.microsoft.com>
Cc: "Web API WG \(public\)" <public-webapi@w3.org>, "Eric Lawrence" <ericlaw@exchange.microsoft.com>, "Chris Wilson" <Chris.Wilson@microsoft.com>, "Zhenbin Xu" <zhenbinx@windows.microsoft.com>, "Gideon Cohn" <gidco@windows.microsoft.com>, "Sharath Udupa" <Sharath.Udupa@microsoft.com>, "Doug Stamper" <dstamper@exchange.microsoft.com>, "Marc Silbey" <marcsil@windows.microsoft.com>, "WAF WG \(public\)" <public-appformats@w3.org>

> How does this compare to the Cross-Site Extensions for XMLHttpRequest
> standard
> that is being developed by Web API and Web App Formats (and
> as implemented in Firefox betas)?
The major ones, IMO:
1. XDomainRequest uses a different constructor/API to make requests
(XDomainRequest instead of XMLHttpRequest).
2. XDomainRequest does not allow any headers. The W3C/AC for XSite requests
allows headers like "Accept" and "Accept-Language" which are crucial for the
fundamental HTTP capability of content and language negotiation.
3. Completely different server side response required to validate cross-site
requests are acceptable. XDomainRequest looks for a response header of
"XDomainRequestAllowed: 1", while W3C/AC, looks for an Access-Control header
which has more fine-grained control.
4. Cookies and credentials are not sent with XDomainRequest. I believe this
is still being discussed with W3C/AC.
5. Standard HTTP REST methods (PUT and DELETE) are not supported with
XDomainRequest, but are supported with W3C/AC.


> From Apple's point of view we would like to have a
> unified standard in this area.
>From web developer/framework developer's point of view, we would also
like a unified standard. Creating a new divergent API for cross-site
requests with XDR is certainly not the most beneficial approach for web
developers. Cross-site requests that work in all browsers (those that
implement W3C/AC and XDR) would look like:
if (window.XDomainRequest) {
    var xhr = new XDomainRequest(); // IE's cross-domain request technique
}
else {
    var xhr = new XMLHttpRequest(); // W3C and standards compliant browsers
cross-domain request technique
}
xhr.open("POST","http://otherdomain.com",true);
xhr.send();

And on the server, the server needs to at least set headers
"XDomainRequestAllowed: 1" and "Access-Control: allow *" for the responses
to be accessible in all browsers.
Does this seem like a clean API for devs? I think it would be much cleaner
and easier for developers if Microsoft adopted the W3C cross-site request
mechanism and worked to improve it, rather than creating a different API.

snipping from Chris's email:
> The short version is, as Sunava discusses in the summary of this mail,
> that x-domain XHR (and Flash’s approach, et al) is subject to specific
> x-domain injection attacks because of its persistent-allow design.

I understand that MS has security concerns, but rewriting the API is not
necessary to address these concerns. If there are aspects of the W3C/AC
proposal that MS doesn't like, I am sure discussion and feedback would be
welcome. Even minor deviations from W3C/AC proposal to satisfy the Microsoft
security concerns (such as stripping cookies, and requiring the
Access-Control header on every response) would be vastly better than using a
completely different API. I think the web development community would
appreciate standards convergence much more than multiple APIs. Having
multiple APIs increases complexity which increases the vector of possible
attacks.

> Specifically, any request sent by XDR could also be emitted by a
> properly coded HTML FORM object.  Hence, any “non-participating”
> web server put at risk by XDR is also at risk from simple HTML.

This is not true. I could send a POST request with XDR with a body of any
string. This is not possible in a form. A form strictly encodes everything
in URL encoded format. A server that expects that a body with pure JSON
would only come from a safe client (since this is not possible with a form),
would be in for a surprise with XDR. W3C/AC protects against this
vulnerability. IMO, this is a vulnerability and XDR may actually be
less secure than W3C/AC (and certainly less funtional).

Thanks,
Kris
Received on Saturday, 15 March 2008 15:06:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 15 March 2008 15:06:38 GMT