W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: Proposal for an extension XMLHttpRequest to allow sending files

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 28 Jul 2008 10:45:35 -0700
Message-ID: <488E05BF.5040506@sicking.cc>
To: Arthur Barstow <art.barstow@nokia.com>
Cc: ext Sam Weinig <weinig@apple.com>, Web Applications Working Group WG <public-webapps@w3.org>

Arthur Barstow wrote:
> Hi Sam,
> This seems like a reasonable extension to me.
> A colleague asks "Are there any new security concerns by putting this 
> inside XHR, or is the assumption that we are not exposing anything new?"
> What are your thoughts on that question? I presume "not exposing 
> anything new" given this type of functionality is already provided (e.g. 
> form submission as mentioned below).

Yes, I believe that when we implemented a similar feature in mozilla 
(different API though) we came to the conclusion that it didn't expose 
anything significantly new.

There were a few differences though:
If the File object can be stored in an offline cache, this means that 
somebody could today be theoretically protected while inside a corporate 
firewall, as long as they always restart the browser before leaving that 
firewall. I.e. even if you were somehow tricked into choosing to upload 
a file, a corporate firewall could protect that data from ever reaching 
the server. However if the File object can be stored in a offline cache, 
such as localStore, then restarting the browser will not prevent this.

Same holds true if a File object can be used to directly read data out 
from the file.

So while File upload through XHR on its own does not seem to cause any 
security issues. There are some theoretical attacks where it can be used 
in combination with other things.

However at mozilla we did not consider these new attacks likely enough 
that it prevented us from implementing the feature. The main line of 
defense is the browser UI that lets you choose a file to upload. If that 
doesn't protect the user well enough, the user is in the vast majority 
of cases compromised anyway.

/ Jonas
Received on Monday, 28 July 2008 17:47:15 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:11 UTC