W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: IE Team's Proposal for Cross Site Requests

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 27 May 2008 18:40:02 +0200
To: Chris Wilson <Chris.Wilson@microsoft.com>
Cc: public-webapi@w3.org, public-appformats@w3.org
Message-ID: <1cdo345elm3nsato6apv5e2j4q9jgvp34m@hive.bjoern.hoehrmann.de>

* Chris Wilson wrote:
>In both XHR2+AC and Flash's policy file approach, the "allow
>credentials" and the actual access to data occur in separate network
>transactions, and likely (but not guaranteed, of course) separate
>network connections.  This enables the vector of DNS attacks - the idea
>being that between those two connections, an attacker could insert
>themselves in to the stream.  (Actually, more likely it would be the
>other way around - an attacker would insert themselves into the stream,
>give back "it's okay to do x-domain", then release and let the real site
>give back data.

It is insufficient to describe what an attacker could do, you have to
show that an attacker can compromise a system only because of the new
feature. The attack you describe transforms cross site requests into
same origin requests, instead of injecting a spoofed OPTIONS response
the attacker could just as well inject a spoofed GET response and have
a script included that then has same-origin access to the site. What
you describe is essentially as powerful as a XSS vulnerability. There
may well be attack vectors that have not yet been considered, but this
is not one of them.

>XDR, by contrast, performs the "access check" in effect on the same
>connection, since it's not a multi-part negotiation.

If true, this is actually only so due to some undocumented implemen-
tation detail. At the moment the XDR implementation in the IE8 Beta
agressively bypasses caches, otherwise it would be vulnerable to the
"attack" you describe above because the attacker could inject a 304
response that updates the XDR header in a cached response and the
browser would then grant access to it despite the victim forbidding
that. As I understand it, "XHR2+AC" implementers want to cache the
responses, so I would expect them to by actually "vulnerable", but
see above.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 27 May 2008 16:40:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 May 2008 16:40:40 GMT