W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 18 Mar 2008 10:45:07 -0700
Message-ID: <47DFFFA3.40103@sicking.cc>
To: Laurens Holst <lholst@students.cs.uu.nl>
CC: Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>

Laurens Holst wrote:
> Laurens Holst schreef:
>> Or, if you really do not want to increase the attack surface, you 
>> should always send the content type application/x-www-form-urlencoded, 
>> and only allow request entities constructed through an API. Because 
>> servers only expect x-www-form-urlencoded and not text/plain, and 
>> servers might have parsing issues if the POST body is malformed, both 
>> leading to changes from what is currently possible with HTML and thus, 
>> security risks. 
> 
> Sorry, apparantly this is a misconception of mine, using 
> encoding="text/plain" you can apparantly already send arbitrary 
> requests. So ignore this paragraph please :). The rest does still apply.
> 
> By the way, I do not see how requiring servers to ignore the request 
> entity content type and forcing them to do content sniffing makes things 
> more secure, instead of less.

Though to be honest I would really like to figure out a way to disable 
cross-site POSTs even from forms. CSRF is a big problem with tons of 
sites vulnerable today.

So I'd really like to not perpetuate the model of allowing cross-site 
POSTs. An interesting first step in that direction would be to disallow 
cross-site text/plain posts since they are so rare that it'd likely not 
affect many sites.

/ Jonas
Received on Tuesday, 18 March 2008 17:46:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 March 2008 17:46:48 GMT