W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

RE: IE Team's Proposal for Cross Site Requests

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 22 May 2008 20:39:08 +0000 (UTC)
To: Chris Wilson <Chris.Wilson@microsoft.com>
Cc: "arun@mozilla.com" <arun@mozilla.com>, "public-webapi@w3.org" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0805222027300.12907@hixie.dreamhostps.com>

On Thu, 22 May 2008, Chris Wilson wrote:
> In both XHR2+AC and Flash's policy file approach, the "allow 
> credentials" and the actual access to data occur in separate network 
> transactions, and likely (but not guaranteed, of course) separate 
> network connections.  This enables the vector of DNS attacks - the idea 
> being that between those two connections, an attacker could insert 
> themselves in to the stream.  (Actually, more likely it would be the 
> other way around - an attacker would insert themselves into the stream, 
> give back "it's okay to do x-domain", then release and let the real site 
> give back data.
> XDR, by contrast, performs the "access check" in effect on the same 
> connection, since it's not a multi-part negotiation.

I think you're misunderstanding what it is that the preflight check does. 
In XHR/AC, the preflight is a check to ensure that the server is willing 
to receive the request in the first place. XDR doesn't check for this at 
all (it's why it is possible to use XDR to POST to unsuspecting intranet 
servers, something you can't do with XHR unless the intranet server only 
supports HTTP 1.0 and thus doesn't check Host: headers).

In both XDR _and_ XHR/AC, the response is checked for the correct magic 
bits before any data is returned to the client. The security check is 
still done on the response, the data from the original OPTIONS request 
isn't used to determine whether or not to return data to the client.

In any case, if your DNS infrastructure has been compromised to the level 
that you describe then all of this is moot. If you can control what 
arbitrary hosts resolve to then there are much more effective attack 
scenarios, such as taking over the JS file that does all the XHRing in the 
first place, or stealing the user's credentials or cookies directly. 
Talking about DNS rebind attacks against XHR's OPTIONS infrastructure is 
like talking about whether to use bullet-proof glass or shatter-free glass 
on the front of a hot dog stand.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 22 May 2008 20:40:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:27 UTC