W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

RE: XDomainRequest Integration with AC

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 19 Jul 2008 01:30:07 +0000 (UTC)
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Sunava Dutta <sunavad@windows.microsoft.com>, "annevk@opera.com" <annevk@opera.com>, "jonas@sicking.cc" <jonas@sicking.cc>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Zhenbin Xu <Zhenbin.Xu@microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, "public-webapps@w3.org" <public-webapps@w3.org>, IE8 Core AJAX SWAT Team <ieajax@microsoft.com>
Message-ID: <Pine.LNX.4.62.0807190118410.12994@hixie.dreamhostps.com>

On Fri, 18 Jul 2008, Eric Lawrence wrote:
>
> In the scenario you described, the threat was that there would be 
> information disclosure against an unsuspecting redirector in the middle 
> of a redirection chain.
> 
> It's not clear to me how providing read-access to the final destination 
> (which must opt-in to such access using an Access-Control response 
> header) would somehow disclose any information about the intermediary 
> redirector?
> 
> Could you describe a simple step-by-step attack scenario?

Let's say that there is a network of sites A, B, and C that all provide 
the same feature that is Access-Control-enabled. These features are 
distinguishable (i.e. you can tell which site it is from looking at the 
content of the Access-Control-enabled page).

Now suppose company X every week picks one of A, B, and C, and that 
knowing the pick ahead of time, if you're not an employee of company X or 
sites A, B, or C can lead to some financial gain.

Now in company X's intranet, there is a server that redirects to the 
Access-Control-enabled feature of the site tha will be picked in the 
coming week.

A hostile user could send an e-mail or IM to an employee of company X 
getting them to visit a page under the hostile user's control. That page 
now just has to do a cross-domain request to the intranet page to figure 
out which site will be picked in the coming week.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 19 July 2008 01:30:46 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT