Re: IE Team's Proposal for Cross Site Requests from Laurens Holst on 2008-03-18 (public-webapi@w3.org from March 2008)

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Tue, 18 Mar 2008 14:44:29 +0100
To: Sunava Dutta <sunavad@windows.microsoft.com>
CC: Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-ID: <47DFC73D.9080602@students.cs.uu.nl>

Sunava Dutta schreef:
> Maciej Stachowiak [mjs@apple.com] said:
> <<But not exactly identical, since forms can't be used to POST XML content with a proper MIME type cross-domain.>>
>
> You're right-- setting an arbitrary request content-type is a capability not present in HTML forms today.  While we believe that this is a minimal increase in attack surface, we agree that it's worth considering whether or not such capability should be removed.
>
> If removed, all XDR POST requests could be sent with:
>
>                 Content-Type: text/plain; charset=UTF-8
>
> Servers would then be flexible in interpreting the data in the higher-level format they expect (JSON, XML, etc).
>   

What? No, you should send the requests with no Content-Type at all, as 
the Content-Type is not known.

Or, if you really do not want to increase the attack surface, you should 
always send the content type application/x-www-form-urlencoded, and only 
allow request entities constructed through an API. Because servers only 
expect x-www-form-urlencoded and not text/plain, and servers might have 
parsing issues if the POST body is malformed, both leading to changes 
from what is currently possible with HTML and thus, security risks.

Note by the way that cross-site XHR basically works on a model that 
normally ONLY allows GET requests (addressing my concerns on POST in my 
previous mail), contrary to XDR which allows GET and POST. So this issue 
you’re having does not apply to XHR. 1-0 for XHR.

Cross-site XHR has a special opt-in method to allow POST, DELETE and PUT 
requests as well, when it is needed. This will not put any existing 
sites at risk, because it’s opt-in (unlike XDR’s POST), the server needs 
to EXPLICITLY allow them for a specific resource. Allowing these methods 
at all is necessary to prevent sites sites from overloading the GET 
request in order to acquire their desired functionality. 2-0 for XHR.


~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.

Received on Tuesday, 18 March 2008 13:45:16 UTC