W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2008

Re: Proposal for an extension XMLHttpRequest to allow sending files

From: Sam Weinig <weinig@apple.com>
Date: Mon, 28 Jul 2008 11:08:49 -0700
Cc: Arthur Barstow <art.barstow@nokia.com>, Web Applications Working Group WG <public-webapps@w3.org>
Message-Id: <E9BD952A-6369-4904-83E2-00109F857DD3@apple.com>
To: Jonas Sicking <jonas@sicking.cc>


On Jul 28, 2008, at 10:45 AM, Jonas Sicking wrote:

>
> Arthur Barstow wrote:
>> Hi Sam,
>> This seems like a reasonable extension to me.
>> A colleague asks "Are there any new security concerns by putting  
>> this inside XHR, or is the assumption that we are not exposing  
>> anything new?"
>> What are your thoughts on that question? I presume "not exposing  
>> anything new" given this type of functionality is already provided  
>> (e.g. form submission as mentioned below).
>
> Yes, I believe that when we implemented a similar feature in mozilla  
> (different API though) we came to the conclusion that it didn't  
> expose anything significantly new.
>
> There were a few differences though:
> If the File object can be stored in an offline cache, this means  
> that somebody could today be theoretically protected while inside a  
> corporate firewall, as long as they always restart the browser  
> before leaving that firewall. I.e. even if you were somehow tricked  
> into choosing to upload a file, a corporate firewall could protect  
> that data from ever reaching the server. However if the File object  
> can be stored in a offline cache, such as localStore, then  
> restarting the browser will not prevent this.

I am not sure this is a real attack vector, as the only local storage  
provided are string based, so one could not store the File object  
itself.

>
> Same holds true if a File object can be used to directly read data  
> out from the file.

This would be the real vector.

>
>
> So while File upload through XHR on its own does not seem to cause  
> any security issues. There are some theoretical attacks where it can  
> be used in combination with other things.
>
> However at mozilla we did not consider these new attacks likely  
> enough that it prevented us from implementing the feature. The main  
> line of defense is the browser UI that lets you choose a file to  
> upload. If that doesn't protect the user well enough, the user is in  
> the vast majority of cases compromised anyway.

Agreed.

>
> / Jonas
>

- Sam
Received on Monday, 28 July 2008 18:09:30 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:27 GMT