W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Maciej Stachowiak <mjs@apple.com>
Date: Mon, 17 Mar 2008 16:13:14 -0700
Cc: Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-Id: <F3843D0D-8E01-473D-9151-E25C95814CE4@apple.com>
To: Sunava Dutta <sunavad@windows.microsoft.com>


On Mar 17, 2008, at 2:29 PM, Sunava Dutta wrote:

> Maciej Stachowiak [mjs@apple.com] said:
> <<But not exactly identical, since forms can't be used to POST XML  
> content with a proper MIME type cross-domain.>>
>
> You're right-- setting an arbitrary request content-type is a  
> capability not present in HTML forms today.  While we believe that  
> this is a minimal increase in attack surface, we agree that it's  
> worth considering whether or not such capability should be removed.
>
> If removed, all XDR POST requests could be sent with:
>
>                Content-Type: text/plain; charset=UTF-8
>
> Servers would then be flexible in interpreting the data in the  
> higher-level format they expect (JSON, XML, etc).

I think encouraging more content sniffing of text/plain on the server  
side is likely to increase, not reduce attack surface.

> Maciej Stachowiak [mjs@apple.com] asked:
> <<What I'd like to understand is whether there are security benefits  
> to the API and protocol differences.>>
>
> We believe that the XDR proposal represents a simpler mechanism for  
> enabling the most commonly requested types of cross-domain access.   
> We believe that such simplicity will lead to improved security in  
> practical implementations by browsers.
>
> There are many threats against a cross-domain communication  
> mechanism, so we believe the simplicity of XDR makes it more  
> suitable than attempting to plumb cross-domain capabilities into the  
> existing XHR object.  In particular, we are concerned that  
> attempting to introduce new restrictions/added complexity on an XHR  
> object when it is used in a cross-domain manner will result in a  
> confusing programming model for the web developer.

So far I have not heard any *specific* security risks of the Access- 
Control model as compared to XDR, at least none that have held up to  
closer scrutiny. Is Microsoft aware of any specific such risks, as  
opposed to general concerns?

Certainly simplicity of client-side authoring, server-side authoring  
and implementation are worth discussing as well, but I think the  
approaches are similar enough that simplicity in itself is not a major  
security issue.

Regards,
Maciej
Received on Monday, 17 March 2008 23:13:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 17 March 2008 23:14:00 GMT