W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

RE: Question regarding XDR and https

From: Sunava Dutta <sunavad@windows.microsoft.com>
Date: Wed, 26 Mar 2008 18:51:06 -0700
To: "Hallvord R. M. Steen" <hallvord@opera.com>, "public-webapi@w3.org" <public-webapi@w3.org>
CC: Eric Lawrence <ericlaw@exchange.microsoft.com>, David Ross <dross@windows.microsoft.com>, Chris Wilson <Chris.Wilson@microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>
Message-ID: <083D18C6B9B71F4CBCA7B76D97B7483102C681B85F@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>

XDR will not participate in HTTPS client authentication, so there is no threat here.

-----Original Message-----
From: public-webapi-request@w3.org [mailto:public-webapi-request@w3.org] On Behalf Of Hallvord R. M. Steen
Sent: Wednesday, March 26, 2008 6:08 PM
To: public-webapi@w3.org
Subject: Question regarding XDR and https

I understand that XDomainRequests will omit sending any cookies and
HTTP-Auth to a 3rd party site. However, what happens if the 3rd party site
uses SSL-based authentication instead? For example, my bank uses an SSL
certificate saved in my browser. Can https://attacker.example.com now use
XDR to send POST requests to my bank with my SSL credentials?

If this is the case, I think XDR does increase attack surface compared to
HTML form posts, because many browsers are configured to warn or inform
the users when entering or leaving HTTPS sites. (Most likely everybody on
this list has disabled the warning/information message years ago, but many
average users will still have it enabled.)

Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
Opera - simply the best Internet experience
Received on Thursday, 27 March 2008 01:51:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:25 UTC